Slashdot Mirror

← Back to Stories (view on slashdot.org)

Adobe Still Ignores Elcomsoft-Discovered Holes

Posted by timothy on from the arrest-that-man-officer dept.

evenprime writes "In 2001, Dmitry Sklyarov described vulnerabilities in Adobe Acrobat and Adobe Acrobat Reader while giving a talk at Defcon 9. As has been previously mentioned, Dmitry was arrested the day after this talk. He and his company Elcomsoft were charged with violating the DMCA. Now Elcomsoft have announced that Adobe, two years later, has still not patched these bugs."

9 of 305 comments (clear)

  1. relapse by mirko · · Score: 5, Interesting

    They once warned them, then the public about their feeble rot13 encryption scheme.
    They got busted because of the DMCA.
    Now, they do it again.
    I guess Dmitri should avoid the USA during the next months, otherwise, he'll soon understand that in Soviet American Corps, sucees is not a matter of technical excellency but rather a matter of negociation skills and of litigation.
    So, why should Adobe managers solve this "bug" when they'll get promoted by complaining about a "criminal offense" ?

    (Note to the mods: I have been hard-working during 18 months in an American Corp, I know what it is about.)

    --
    Trolling using another account since 2005.
    1. Re:relapse by Goldberg's+Pants · · Score: 5, Interesting

      It's a lot less effort to sic the lawyers on people than actually PATCH the vulnerability. Security through obscurity (and fear).

      Seriously, this isn't that surprising. Outside the tech sector, the Skylarov thing was largely ignored, and the Adobe vulnerability has been too. The sad thing is, as a writer, it pains me to see a format which is SUPPOSED to be secure be swiss cheesed. Would never use it myself, but Adobe are the real criminals in this. Defrauding people by saying "yes, this format is secure" when it quite obviously isn't.

  2. Acrobat isn't so wonderful... by t0qer · · Score: 4, Interesting

    I don't think it is..

    Sure you have chapters, exact replication of your original document, DRM, cross platform, and other nifty features, but all this and more could be implemented using a combination of HTML, PHP, and java.

    For example, if I was going to sell some html online I could use the PHP application oscommerce to make sure I got paid, HTML for chapters and such, and java to disable people from simply copying and pasting the text somewhere it could be shared.

    Sure, it sounds really technical to the folks that are used to doing a "file>save>PDF" in acrobat. But I wouldn't think that it would be that much more difficult.

  3. Re:Excellent! by Noryungi · · Score: 4, Interesting
    The obvious thing to do is to sue Adobe since their free product discriminates against the blind.

    Bzzzzt! Wrong answer!

    1. Abobe is not responsible for the PDF files that are produced by its customers. The "basic" Adobe Acrobat Reader has all the functions necessary to export the document to text for instance. (In Acrobat Reader 5.0/Windows, click on File > Export Document to Text).
      But it is still possible to create a PDF file that does not allow any manipulation or export...
    2. Non-discrimination laws vs the blind only apply to some countries (AFAIK USA and -- maybe -- Spain). There is no such law in the country where my friend and I live.
    3. Do you have the kind of money that would be necessary to sue Adobe? Do you have enough money in your bank account that it would not matter to you if you actually lost the case? Hmmmm...? Maybe you do... but I don't.


    I am definitely going to order one of the Elcomsoft utility for my friend... ;-)
    --
    The right to offend is far more important than the right not to be offended. (Rowan Atkinson)
  4. Microsoft does the same... and profits!! by jkrise · · Score: 5, Interesting

    During every upgrade to a new Windows OS, we are advised to run a check for file viruses using anti-virus s/w. It's a tragedy that software exploits are described as viruses and linked to terrorists and success-haters. Why can't MS make newer releases of their OSes atleast immune to known viruses and the associated vulnerabilities???

    Every new release of s/w causes some code to break - a game here, a dll there, an application and so forth. The only thing that runs well on all flavours of MS OSes from DOS to XP is viruses!

    It's easier to obfuscate and profitable as well, apparently.

    --
    If you keep throwing chairs, one day you'll break windows....
    1. Re:Microsoft does the same... and profits!! by jkrise · · Score: 4, Interesting

      "Do you mean "built-in antivirus software"

      No, I don't. To put things in perspective, a virus is actually a software exploit of a bug in the OS and components. Immunity to a s/w virus does not mean deleting the instance or occurence of the virus, it means correcting the code which caused the virus to work in the first place!

      We've been conditioned into thinking that viruses are external to the OS and can't be prevented, only cured by yet another piece of s/w. It's difficult to appreciate the sloppiness of code that gets passed thru generations of Windoze without fixing of bugs.

      In short, I don't mean "Built-in anti-virus software" but "Removal of bugs in code with each new code version atleast".

      --
      If you keep throwing chairs, one day you'll break windows....
  5. Re:Excellent! by Kierthos · · Score: 4, Interesting

    Oddly enough, if you have the proper plug-in for Adobe Acrobat, you can take one of those "protected" files, extract all the pages to a separate file, and then save it. Had to do that at work when the clueless-as-hell customer gave us a file to print that was protected. (Furthermore, the customer didn't know how to "un-protect" it, and the person who did was on vacation.)

    In the off chance that doesn't work, you can import the file, page by page, into Photoshop and resave the pages. But that's really only an option with files that are fairly small in terms of page count.

    Kierthos

    --
    Mr. Hu is not a ninja.
  6. Most people can't do both. by Futurepower(R) · · Score: 5, Interesting


    Very, very few people, apparently, have both technical knowledge and managerial knowledge.

    The problem mentioned in the Slashdot story appears to be that Bruce Chizen, Adobe president, is not prepared for the intellectual challenge of running a technical company. He's been a salesman and marketing manager all his life. Now Adobe has become dependent on Acrobat, and has a big customer for Acrobat, the IRS (U.S. Internal Revenue Service).

    It's amazing. The job pays extremely well, even though the smart people are gone, Adobe has laid off people, and the stock is slowly sliding.

    We live in a business climate in which a few people at the top make a huge amount of money, and other people suffer, even though they helped make the money.

    There seems to be a pattern with technological companies. The people who really understand the technology get tired and go on to other things, or are forced out of the company they founded (as was Jobs at Apple). Everyone pretends that nothing has happened, and the company runs on inertia for a while. With luck, the new managers, who try to hide the fact that they really don't understand what the company does, encounter a business upturn. But inside the company is dying.

    John Sculley was a sugar water salesman (Pepsi) before he came to Apple and forced Jobs out. Apple looked okay for a while, but slowly lost importance. Then Jobs came back, and Apple became very important.

    Adobe's Postscript is brilliant technology. Using Postscript to make PDF files is brilliant. Knowing what photo editing tools need to go into Photoshop requires deep technical understanding. Probably Bruce Chizen understands none of this. Can a manager run something he does not understand? No.

  7. up to version 6 by mblase · · Score: 4, Interesting

    It's a lot less effort to sic the lawyers on people than actually PATCH the vulnerability. Security through obscurity (and fear)

    It's even more damning because Adobe just recently upgraded their PDF Reader software from version 5 to version 6, yet have failed to patch this particular problem. You'd think that somewhere among all the features (?) added between two major releases they'd have found time for this.