Slashdot Mirror
Adobe Still Ignores Elcomsoft-Discovered Holes
evenprime writes "In 2001, Dmitry Sklyarov
described vulnerabilities in Adobe
Acrobat and Adobe Acrobat Reader while
giving a talk at
Defcon 9.
As has
been
previously
mentioned, Dmitry was arrested the day after this talk. He and his company Elcomsoft were charged with violating the DMCA. Now Elcomsoft have announced that
Adobe, two years later,
has still not patched these bugs."
They once warned them, then the public about their feeble rot13 encryption scheme.
They got busted because of the DMCA.
Now, they do it again.
I guess Dmitri should avoid the USA during the next months, otherwise, he'll soon understand that in Soviet American Corps, sucees is not a matter of technical excellency but rather a matter of negociation skills and of litigation.
So, why should Adobe managers solve this "bug" when they'll get promoted by complaining about a "criminal offense" ?
(Note to the mods: I have been hard-working during 18 months in an American Corp, I know what it is about.)
Trolling using another account since 2005.
Maybe more companies will bait their software with easy exploits to snare those who try to circumvent it
If nothing else, it gives the companies an excuse to their shareholders for shoddy coding.
[...]may we ask who found those bugs again?
Foolish PC users! Us Macintosh people will be entirely unaffected by these exploits... ...because Adobe is starting to stop making programs for mac... :(
I'll form my OWN solar system! With blackjack! And hookers!
... of sweeping the bugs under the rug and ignoring that they exist while punishing the kid for pointing out the bugs.
When those bugs crawl out from under the rug... that's when you start feeling the pinch... quite literally... coz they're nasty bugs that bite.
...if that isn't a new way of fixing bugs.
Sueing the people until they stop caring and reporting them (the bugs).
That amazon guy probably has already patented it.
its just a way to trick acrobat into thinking your plugin is signed. if your installing a plugin for anything you should realize it will be executing on your computer and proceed with caution. its not the hosting app's job to make sure its plugins don't do anything they're not suppose to do (imo that responsibility should fall on the os, but thats mho) - so whatever extra security added by adobe to try and prevent untrusted plugins is pure gratis
bite my glorious golden ass.
As I have said before, one of my friend is blind.
Have you got any idea how fscking difficult it is for the poor chap to read "protected"[1] PDF files? Trust me, it's pure hell!!
At least, since Adobe has decided to pull an MS on its users and ignore known problems, maybe I'll be able to crack some of these protected files for my friend, so that he can read them.
So, there are, er, ahem... unexpected benefits to this sh___y Adobe attitude...
Just my US$ 0.02...
[1] "Protected" as in: "can't print, can't copy, can't save as". Yes, Virginia, you can create that kind of PDF files!
The right to offend is far more important than the right not to be offended. (Rowan Atkinson)
You missed the point, the vulnerability is a big one and doesnt involve the final user.
As you may already know many companies use PDF to realse secure documents, this companies are confident that adobe security will keep the document as read only so no llama will make changes for fun or copy paste their info.
But then we have this vulnerability where you can load a custom plugin in secure mod, this plug in could use all the privileges a secure plug in has, like for example saving an unencrypted version of the file or, why not, a pain text copy.
This sound like a big vulnerability to me, but companies that use Acrobat are the ones that should be angry.
Sigs are for morons... Wait a minute...
Even the article gets it wrong now.
Sklyarov!
Perhaps Adobe should work with Lexmark to help them out with the crypto coding; you know, that great company that protects the consumer against accidentally using cheap ink with strong cryptographic chips. Then Adobe could not only provide a PDF option to prevent you from printing a document, they could also enforce that if printed, a PDF document will only be printed with 100%-genuine Lexmark toner. Oh, I see another option with Kodak here, perhaps by embedding RFID tags directly in that specical Kodak paper.
BTW, did anyone notice that with the latest PDF specification, version 1.5, which corresponds to Acrobat 6, that they added verbage to the copyright/license part to enforce that all software which implements the PDF specification must obey all those stupid magic security bits? They claim the specification is open and free for anybody to develop software around it, but that since the "format" is copyrighted all independently developed software must obey their fragile DRM schemes. How in the world can they copyright a format; sure their specification is copyrighted being a printed work, but the "format"?
I don't think it is..
Sure you have chapters, exact replication of your original document, DRM, cross platform, and other nifty features, but all this and more could be implemented using a combination of HTML, PHP, and java.
For example, if I was going to sell some html online I could use the PHP application oscommerce to make sure I got paid, HTML for chapters and such, and java to disable people from simply copying and pasting the text somewhere it could be shared.
Sure, it sounds really technical to the folks that are used to doing a "file>save>PDF" in acrobat. But I wouldn't think that it would be that much more difficult.
I, personally, would like to make my annoyance at this situation known.
Who do we contact at Adobe? How do we make a serious stink about this? Are the board members of this company contactable somehow? I'd go to the effort of writing a decent letter explaining to them their stupidity and callousness, if I knew where to send it.
; -- the corruption of government starts with its secrets. a truly free people keep no secrets. --
I once asked my boss why our company has to raise so many lawsuits each year. He told me under the influerence of a couple of beers that if we don't keep our lawyers busy they'd find something to sue us.
"They're like guarddogs" after more beers "if you don't feed them well they might bite you one day"
I know this is an unfair comparison. Accept my apology to all the faithful employees...I meant to those guarddogs.
After all, we knew the DMCA would have this effect on companies and software, where bugfixes are unnecessary by litigation.
Why fix software when we can send lawyers and make examples and burning effigies instead?
Doing the Right Thing should not be preempted by making a buck.
During every upgrade to a new Windows OS, we are advised to run a check for file viruses using anti-virus s/w. It's a tragedy that software exploits are described as viruses and linked to terrorists and success-haters. Why can't MS make newer releases of their OSes atleast immune to known viruses and the associated vulnerabilities???
Every new release of s/w causes some code to break - a game here, a dll there, an application and so forth. The only thing that runs well on all flavours of MS OSes from DOS to XP is viruses!
It's easier to obfuscate and profitable as well, apparently.
If you keep throwing chairs, one day you'll break windows....
I think this must be the official reply from the Adobe spokesperson.
"It usualy starts with some screaming. Afterwards there is much running around."
Very, very few people, apparently, have both technical knowledge and managerial knowledge.
The problem mentioned in the Slashdot story appears to be that Bruce Chizen, Adobe president, is not prepared for the intellectual challenge of running a technical company. He's been a salesman and marketing manager all his life. Now Adobe has become dependent on Acrobat, and has a big customer for Acrobat, the IRS (U.S. Internal Revenue Service).
It's amazing. The job pays extremely well, even though the smart people are gone, Adobe has laid off people, and the stock is slowly sliding.
We live in a business climate in which a few people at the top make a huge amount of money, and other people suffer, even though they helped make the money.
There seems to be a pattern with technological companies. The people who really understand the technology get tired and go on to other things, or are forced out of the company they founded (as was Jobs at Apple). Everyone pretends that nothing has happened, and the company runs on inertia for a while. With luck, the new managers, who try to hide the fact that they really don't understand what the company does, encounter a business upturn. But inside the company is dying.
John Sculley was a sugar water salesman (Pepsi) before he came to Apple and forced Jobs out. Apple looked okay for a while, but slowly lost importance. Then Jobs came back, and Apple became very important.
Adobe's Postscript is brilliant technology. Using Postscript to make PDF files is brilliant. Knowing what photo editing tools need to go into Photoshop requires deep technical understanding. Probably Bruce Chizen understands none of this. Can a manager run something he does not understand? No.
[monty python reference]
DIMITRI: If you will not fix rot13 encryption, we shall publish an exploit!
ADOBE LAWYER: You don't frighten us, Russian pig-dogs! Go and boil your bottom, sons of a silly person. I blow my nose at you, so-called Dimitri Hacker, you and all your silly Russian k-nnnnniggets. Thpppppt! Thppt!Thppt!
SLASHDOT: What a strange company.
DIMITRI: Now look here, my good man--
ADOBE LAWYER: I don't wanna talk to you no more, you empty headed animal food trough wiper! I fart in your general direction! You mother was a hamster and your father smelt of elderberries!
SLASHDOT: Is there someone else up there he could talk to?
ADOBE LAWYER: No, now go away or I shall sue you a second time-a!
ADOBE EMPLOYEE #1: I didn't know we were Idiots?
ADOBE EMPLOYEE #2: Of course, why else do you think we are protecting this ridiculous algorithm?
[/monty python reference]
This really shouldn't surprise anyone. The DMCA gives companies a right to sue if you reverse engineer an encyption device. But the DMCA offers no protecting to the consumer by requireing a company to FIX the problem.
Besides /., this story has not had a whole lot of publicity. Add to that the fact that most people wouldn't know how to decrypt the e-books (and, more importantly, probably don't all that much care), there really isn't much incentive for Adobe to fix it.
The puzzling thing to me is that it seems like it really wouldn't cost all that much to fix. I mean, it is a patch afterall and every friggin time I start up Photoshop Elements it is downloading some update (though not sending any of my personal information... hehe!).
IAAL, so what I start to think is: Does Adobe have any liability for failure to patch the software when an author loses money because his or her ebook is pirated? No doubt in advertising and selling the software, Adobe touted the encryption as a safety feature. Contributory infringement, maybe? Misrepresentation? A warranty theory? Hmm....
They characterize a new bug (oversight in the fix, see below) as having done absolutely nothing. Not very honest...
I'm pretty impressed that slashdot didn't post the inaccurate "no improvements for 2 years" title, when it is clearly a fact (based on the text of the article) that Adobe added a new, stronger signing method in version 6, as a good-faith attempt to solve this problem. Yes, "2 years" appears to be true, but that's not the 2 years from July 2001 to July 2003 (today).
Likewise, the statement at the top: "oftware released in 2003 contains vulnerabilities disclosured in 2001" gives the impression that the new version contains the exact same vulnerability, rather than an oversight in a major rework of the security mechanism that was intended to fix the bug.
It sounds like Adobe really did try to fix the problem. They implemented a new, strong signing method. They even adandoned backwards compatibility and refuse to load the old, easily forged plugins when in certified mode. As Elcom's message explains, Acrobat 6 only allows "certified" mode if all the plugins have the new, strong signatures, or if all the plugins if finds have these signatures it automatically goes into certified mode.
The real complaint appears to be an oversight that some undocument function, which is callable in uncertified mode by an unsigned plugin (or one of the legacy weakly authenticated plugins) can call this undocumented function and cause Acrobat to switch into certified mode. Quoting from the Elcom message:
So there you have it, a secutity real announcement, burried after a lengthy rant about how slow and unresponsive Adobe has been.
Yes, Adobe has a bad attitude. Yes, they fscked up and their attempt to fix the problem still has an exploitable weakness. Ok, I can buy that Adode has a bad attitude.
Elcom (or specifically, Vladimir Katalov) doesn't impress me much either, when it comes to attitude and standards of professional conduct. This angry rant attempts to paint a picture of Adobe has having still done utterly nothing to fix this problem... including a very misleading tital and summary.
Katalov sinks to the tactic of use a embedded an advisory of a weakness to attract attention to an angry rant about his frustrations with Adobe's unresponsive history.
PJRC: Electronic Projects, 8051 Microcontroller Tools
Adobe is trying to tell customers that they have a format in which you can send a document to someone, and that document will only be readable on that one computer, or will not be printable, or will not be copyable to the clipboard or whatever.
This is fundamentally impossible. If my computer can display the document on screen for me, then this means that the computer MUST have all the required information to do so. This includes any and all secret keys if the document is encrypted and so on.
This implies that the computer also has all the info needed to print the document, or copy it to the clipboard or whatever. Now, Adobes product could only work if the computer "knew" how to do this, but refused to do it anyway, in other words, if the computer was not obeying the end-user.
This is possible with secure hardware and similar that refuse to run code that is not digitally signed by the real master (not the end-user and owner!). But with the current computers that happily run anything you the user want in priviledged mode it is not possible.
Sure they could, and probably should, patch this spesific hole. But there's nothing Adobe can do to make they so-called "secure pdf" actually do what they claim it will do. And they know it.
If future commercial software relies on the law for its security rather than actual software security, this may be a good thing for open source. When that happens, we really can then say that OSS is truly more secure.
Well, you COULD say that, but then you'd be violating the DMCA, and they'd have to put you away.
"It's better to have a gun and not need it than need a gun and not have it." ~ Christian Slater, True Romance
This "vulnerability" means that you can run plugins WITHOUT having them signed by Adobe.
THAT is the problem. Companies use Adobe Acrobat to create forms that should not be altered outside the company, like contracts, and send them to their customers to fill out. If said company can no longer trust that their customers won't be able to change text in their contract without notifying them, then Adobe Acrobat is completely meaningless.
My last job was at an ISP that would create contracts and accounting papers in Acrobat, then send them to people to fill in certain information. Sometimes, the documents could be 30-50 pages in length. It obviously would take quite a long time to manually go through and verify that nothing inappropriate (i.e. the cost of getting out of the contract) would be changed. Of course, in that case, the company deserved whatever it got, but that's beside the point.
"It's better to have a gun and not need it than need a gun and not have it." ~ Christian Slater, True Romance
It's a lot less effort to sic the lawyers on people than actually PATCH the vulnerability. Security through obscurity (and fear)
It's even more damning because Adobe just recently upgraded their PDF Reader software from version 5 to version 6, yet have failed to patch this particular problem. You'd think that somewhere among all the features (?) added between two major releases they'd have found time for this.
Too many people don't pay attention to where their plug-ins and other downloads come from - that is where a big part of the problem starts. End users need to own up to that fact that when a warning comes up about an unsigned or questionable certificate, they need to ask some serious questions before installing.
Sure, Adobe still has a "vulnerability" in the strict sense of the word, and if they want to continue marketing a weak security product, that is their business. In my opinion, their inspired release of Acrobat Elements will make Adobe a bigger player and Acrobat a major product. Going in to this with a problem is just bad business and will not help them. And whacking the messenger with the DMCA is definitely not a solution!
Thank God they only do media-like applications. Imagine what would happen if they were responsible for system-level applications or the operating system. A company that drags its feet to this degree in patching security holes could really be a problem. I just can't imagine what that would be like. Can you?
I had a sucky sig.