Slashdot Mirror

← Back to Stories (view on slashdot.org)

Adobe Still Ignores Elcomsoft-Discovered Holes

Posted by timothy on from the arrest-that-man-officer dept.

evenprime writes "In 2001, Dmitry Sklyarov described vulnerabilities in Adobe Acrobat and Adobe Acrobat Reader while giving a talk at Defcon 9. As has been previously mentioned, Dmitry was arrested the day after this talk. He and his company Elcomsoft were charged with violating the DMCA. Now Elcomsoft have announced that Adobe, two years later, has still not patched these bugs."

21 of 305 comments (clear)

  1. relapse by mirko · · Score: 5, Interesting

    They once warned them, then the public about their feeble rot13 encryption scheme.
    They got busted because of the DMCA.
    Now, they do it again.
    I guess Dmitri should avoid the USA during the next months, otherwise, he'll soon understand that in Soviet American Corps, sucees is not a matter of technical excellency but rather a matter of negociation skills and of litigation.
    So, why should Adobe managers solve this "bug" when they'll get promoted by complaining about a "criminal offense" ?

    (Note to the mods: I have been hard-working during 18 months in an American Corp, I know what it is about.)

    --
    Trolling using another account since 2005.
    1. Re:relapse by Goldberg's+Pants · · Score: 5, Interesting

      It's a lot less effort to sic the lawyers on people than actually PATCH the vulnerability. Security through obscurity (and fear).

      Seriously, this isn't that surprising. Outside the tech sector, the Skylarov thing was largely ignored, and the Adobe vulnerability has been too. The sad thing is, as a writer, it pains me to see a format which is SUPPOSED to be secure be swiss cheesed. Would never use it myself, but Adobe are the real criminals in this. Defrauding people by saying "yes, this format is secure" when it quite obviously isn't.

    2. Re:relapse by Surak · · Score: 1, Interesting

      Wait.... I never caught this before...

      rot13?

      They seriously charged Dimitry with breaking ROT13 under the DMCA? This is not a joke? I always thought the people joking about breaking rot13 sigs and whatnot were kidding. Turns out its HHOS.

      Damn. rot13 barely qualifies as encryption.

      --
      My journal has hot /. gossip.
    3. Re:relapse by KU_Fletch · · Score: 1, Interesting

      After working as a programmer in a corporate environment for a year+ I can pretty much say that the odds of the programmers even getting the opportunity to fix this would be slim. Thanks to the wonders of corporate micromanagement, almost the entire programming staff where I worked was threatened at one point or another not to deviate form management approved development tracks. Taking the time to research and fix the bug (even though the research seems to be done by external forces at this point) is taking time away from the company, and in big systems like Adobe, that's a big no-no.

      That being said, I'm about 90% confident that somewhere in the last year, one or two Adobe programmers have coded a bug fix and have it sitting around, but management won't let them put it in because they see it as caving into "illegal" hackers like the DEFCON speakers.

      --
      It's not stupid. It's advanced.
  2. Acrobat isn't so wonderful... by t0qer · · Score: 4, Interesting

    I don't think it is..

    Sure you have chapters, exact replication of your original document, DRM, cross platform, and other nifty features, but all this and more could be implemented using a combination of HTML, PHP, and java.

    For example, if I was going to sell some html online I could use the PHP application oscommerce to make sure I got paid, HTML for chapters and such, and java to disable people from simply copying and pasting the text somewhere it could be shared.

    Sure, it sounds really technical to the folks that are used to doing a "file>save>PDF" in acrobat. But I wouldn't think that it would be that much more difficult.

    1. Re:Acrobat isn't so wonderful... by sbuckhopper · · Score: 2, Interesting

      A better replacement is good old PostScript: the only downside of PS is that it takes up about 2.5 as much space as the equivalent PDF.

      Better than PS, why not use dvi? Definitely no royalties or patents here, and by the mere specification of it, device independent format, it is device, os, whatever independent and will look the same on anything that it is viewed on. Sure at this point it is implemented by TeX, but there is no one stopping it from being implemented elsewhere.

      --
      "Everybody knows the moon's made of cheese," Wallace.
  3. Re:Excellent! by Noryungi · · Score: 4, Interesting
    The obvious thing to do is to sue Adobe since their free product discriminates against the blind.

    Bzzzzt! Wrong answer!

    1. Abobe is not responsible for the PDF files that are produced by its customers. The "basic" Adobe Acrobat Reader has all the functions necessary to export the document to text for instance. (In Acrobat Reader 5.0/Windows, click on File > Export Document to Text).
      But it is still possible to create a PDF file that does not allow any manipulation or export...
    2. Non-discrimination laws vs the blind only apply to some countries (AFAIK USA and -- maybe -- Spain). There is no such law in the country where my friend and I live.
    3. Do you have the kind of money that would be necessary to sue Adobe? Do you have enough money in your bank account that it would not matter to you if you actually lost the case? Hmmmm...? Maybe you do... but I don't.


    I am definitely going to order one of the Elcomsoft utility for my friend... ;-)
    --
    The right to offend is far more important than the right not to be offended. (Rowan Atkinson)
  4. Microsoft does the same... and profits!! by jkrise · · Score: 5, Interesting

    During every upgrade to a new Windows OS, we are advised to run a check for file viruses using anti-virus s/w. It's a tragedy that software exploits are described as viruses and linked to terrorists and success-haters. Why can't MS make newer releases of their OSes atleast immune to known viruses and the associated vulnerabilities???

    Every new release of s/w causes some code to break - a game here, a dll there, an application and so forth. The only thing that runs well on all flavours of MS OSes from DOS to XP is viruses!

    It's easier to obfuscate and profitable as well, apparently.

    --
    If you keep throwing chairs, one day you'll break windows....
    1. Re:Microsoft does the same... and profits!! by jkrise · · Score: 4, Interesting

      "Do you mean "built-in antivirus software"

      No, I don't. To put things in perspective, a virus is actually a software exploit of a bug in the OS and components. Immunity to a s/w virus does not mean deleting the instance or occurence of the virus, it means correcting the code which caused the virus to work in the first place!

      We've been conditioned into thinking that viruses are external to the OS and can't be prevented, only cured by yet another piece of s/w. It's difficult to appreciate the sloppiness of code that gets passed thru generations of Windoze without fixing of bugs.

      In short, I don't mean "Built-in anti-virus software" but "Removal of bugs in code with each new code version atleast".

      --
      If you keep throwing chairs, one day you'll break windows....
    2. Re:Microsoft does the same... and profits!! by pdoucy · · Score: 2, Interesting
      a virus is actually a software exploit of a bug in the OS and components
      This is the case for trojans, viruses spreading by mail (I should say "via Outlook"). For those I have to agree with you.

      But I'm used to think about virus in terms of a little (native) piece of code which replicates by copying itself in another piece of code. From that perspective, I can't see any other solution than breaking everything at each new release, or embedding a antivirus into the OS.

      Some years ago, viruses were written in assembler and even C was considered too high level for this purpose (!). Nowadays, virus writers don't even know what assembler is.
      --
      Cats are intended to teach us that not everything in nature has a function.
    3. Re:Microsoft does the same... and profits!! by Arker · · Score: 2, Interesting

      Assembler? Bah! Assembler generates too much bloat.

      Real viruses are handcoded in hexadecimal and 'compiled' with debug.

      Those were the days.

      And you're right, what he's saying doesn't make too much sense in the context of that sort of virus - although having an actual security model like real operating systems hampers them, it can't prevent them.

      But take a look at the crap that passes for viruses these days. 99.9% of it won't work even on my windows machine, simply because it is completely devoid of mshtml and associated crap. In that context, what he's saying makes perfect sense. Those viruses are simply exploits of hideously bad design flaws in MS software. MS works hard to get customers who don't know any better to see them as inevitable, so they don't blame MS and so they spend even more money buying virus scanners and the like, rather than bother to fix their bugs.

      --
      =-=-=-=-=-=-=-=-=-=-=-=-=-=-
      Friends don't let friends enable ecmascript.
  5. Re:Excellent! by Kierthos · · Score: 4, Interesting

    Oddly enough, if you have the proper plug-in for Adobe Acrobat, you can take one of those "protected" files, extract all the pages to a separate file, and then save it. Had to do that at work when the clueless-as-hell customer gave us a file to print that was protected. (Furthermore, the customer didn't know how to "un-protect" it, and the person who did was on vacation.)

    In the off chance that doesn't work, you can import the file, page by page, into Photoshop and resave the pages. But that's really only an option with files that are fairly small in terms of page count.

    Kierthos

    --
    Mr. Hu is not a ninja.
  6. This may be good for OSS by ndogg · · Score: 3, Interesting

    If future commercial software relies on the law for its security rather than actual software security, this may be a good thing for open source. When that happens, we really can then say that OSS is truly more secure.

    --
    // file: mice.h
    #include "frickin_lasers.h"
    1. Re:This may be good for OSS by 0x0d0a · · Score: 2, Interesting

      Nothing preventing OSS in the US from relying on the DMCA. I mean, I don't see it happening, but from a legal perspective, it could.

      --
      May we never see th
  7. Most people can't do both. by Futurepower(R) · · Score: 5, Interesting


    Very, very few people, apparently, have both technical knowledge and managerial knowledge.

    The problem mentioned in the Slashdot story appears to be that Bruce Chizen, Adobe president, is not prepared for the intellectual challenge of running a technical company. He's been a salesman and marketing manager all his life. Now Adobe has become dependent on Acrobat, and has a big customer for Acrobat, the IRS (U.S. Internal Revenue Service).

    It's amazing. The job pays extremely well, even though the smart people are gone, Adobe has laid off people, and the stock is slowly sliding.

    We live in a business climate in which a few people at the top make a huge amount of money, and other people suffer, even though they helped make the money.

    There seems to be a pattern with technological companies. The people who really understand the technology get tired and go on to other things, or are forced out of the company they founded (as was Jobs at Apple). Everyone pretends that nothing has happened, and the company runs on inertia for a while. With luck, the new managers, who try to hide the fact that they really don't understand what the company does, encounter a business upturn. But inside the company is dying.

    John Sculley was a sugar water salesman (Pepsi) before he came to Apple and forced Jobs out. Apple looked okay for a while, but slowly lost importance. Then Jobs came back, and Apple became very important.

    Adobe's Postscript is brilliant technology. Using Postscript to make PDF files is brilliant. Knowing what photo editing tools need to go into Photoshop requires deep technical understanding. Probably Bruce Chizen understands none of this. Can a manager run something he does not understand? No.

    1. Re:Most people can't do both. by elpapacito · · Score: 2, Interesting

      Wait, good managing isn't realizing you don't know jack about something so you need to hire somebody else who knows about technology. That is the conditio sine qua non for even attempting an enterprise that isn't a scam. I mean even attempting a garage sales requires understanding one must first check with local law to see if it's allowed without any kind of bookeeping.

      Is that managing ? Obviously it is. But another kind of managing, much more complex, is the kind one must do when developing a new product or introducing innnovation in a product.

      Unfortunately, once a sellable product is obtained the manager may choose to reduce investment on innovation (in other words, cut developing costs) because he/she is also pressed by investors/bank who don't give a flying F about innovation, all they care about is money and that's pretty obvious, a bank business involves financing not developing/selling goods.

      If an at least temporary equilibrium is achieved the average manager will almost surely take the least risky path of keeping on selling the good that is currently selling, instead of attempting to develop new ones.

      The way things seem like, the guys/girls who developed the product from scratch (read, technicians/researchers) often if not always see only a fraction of the revenue from the product because securing a right on revenues is extremely difficult. But they are the ones that are most likely to develop new products, not the manager.

  8. Re:What motivation do they have to fix it? by Anonymous Coward · · Score: 2, Interesting

    If I was a book publisher I would think twice before using Adobe's ebook technology to release my titles. That should be enough incentive for Adobe to fix the vulnerability.

    Unless Adobe doesn't really care about the format. Maybe they just won't fix it because they expect Microsoft to take over the ebook market with its DRM plans.

  9. up to version 6 by mblase · · Score: 4, Interesting

    It's a lot less effort to sic the lawyers on people than actually PATCH the vulnerability. Security through obscurity (and fear)

    It's even more damning because Adobe just recently upgraded their PDF Reader software from version 5 to version 6, yet have failed to patch this particular problem. You'd think that somewhere among all the features (?) added between two major releases they'd have found time for this.

  10. Re:How viruses spread and how to prevent it by Pfhreakaz0id · · Score: 2, Interesting

    Ok, I'm sure I'll get slammed for this, but I'm going to defend Microsoft a little. The main problem is the APPS, not the OS. Why? Because, as you say, this stuff is possible now. So what's the problem? Go do it on a win2k box. Apps will start to break all over the place. Most applications expect to run as admin. My scanner (a umax) will not function unless run as admin. I don't mean it won't install (hell, I should have to login as admin to install hardware) IT WON'T RUN.

    Tech supports solution is "run as admin". When I did all the security auditing, figuring out what registry keeys/files it needed permission to and changed them and sent them the files a YEAR AND A HALF AGO, they still haven't fixed it.

    It simply isn't practical to run a workstation as non-admin on 2k unless you just run a base install of OS, office and IE. Trust me, I tried. and gave up.

    Heck -- now I will bash microsoft:) -- Microsoft's own Age of Mythology, which I got for my son, won't run as non admin. It actually does pop up a box saying "this game won't run as non-admin". So presumably, even if I did security audit and change the settings, it wouldn't run.

    Like I said, I gave up.

    --
    DO NOT DISTURB THE SE
  11. EFF.org supporting Adobe? by scorch70 · · Score: 2, Interesting

    Just a question. Any ideas why EFF.org would be supporting Adobe after the Elcomsoft case?

    http://www.eff.org/thanks/

    --
    Don't support DRM - Boycott Itunes
  12. Typically Adobe... by writermike · · Score: 2, Interesting

    My first thought after reading this was that the company was embarrassed and didn't want to admit to the bugs.

    But then I realized something...

    I've worked in companies which were active beta and alpha testers for adobe software of all kinds, but especially for the print industry.

    Adobe rarely admits bugs. Period. As long as the problem is not a show-stopper (or is an obscure show-stopper), it will rarely get fixed. It _may_ get a mention in the knowledgebase, but this is not a given.

    There are still things plauging the printing industry in multiple versions of multiple Adobe products -- Acrobat, Illustrator, Indesign, etc.

    So, no, it's not a surpise that Adobe didn't fix this. They don't fix much.

    --
    If Nalgene water bottles are outlawed, only outlaws will have Nalgene water bottles.