Adobe refutes Elcomsoft's vulnerability report on PDF security

Adobe refutes Elcomsoft's vulnerability report on PDF security

Post by Kurt Fo » Wed, 16 Jul 2003 03:16:23



from the Planet PDF newsletter -->

___ Adobe refutes Elcomsoft's vulnerability report on PDF security ___

Adobe's John Landwehr, Group Manager for Security Solutions
and Strategy, labels recent allegations by ElcomSoft about
vulnerabilities in PDF security as 'theoretical, inaccurate
and misleading.' No patch or update is required, he says.

http://www.planetpdf.com/mainpage.asp?webpageid=2900

___ ElcomSoft marks arrest anniversary with PDF security flaws update ___

With the July 16, 2001 anniversary of the arrest of employee
Dmitry Skylarov at hand, ElcomSoft has produced and
disseminated a new report outlining alleged vulnerabilities
in PDF security that it says Adobe has not fixed in two  years.

http://www.planetpdf.com/mainpage.asp?webpageid=2894

rgds ~ Kurt
Editor, Planet PDF

 
 
 

Adobe refutes Elcomsoft's vulnerability report on PDF security

Post by Vladimir Katalo » Wed, 16 Jul 2003 16:23:03



Quote:

> ___ Adobe refutes Elcomsoft's vulnerability report on PDF security ___

> Adobe's John Landwehr, Group Manager for Security Solutions
> and Strategy, labels recent allegations by ElcomSoft about
> vulnerabilities in PDF security as 'theoretical, inaccurate
> and misleading.' No patch or update is required, he says.

> http://www.planetpdf.com/mainpage.asp?webpageid=2900

Actually, *Adobe* is publishing misleading information.

If Adobe consider this vulnerability to be "theoretical", can they give
the warranties to some independent developer (security expert) so he will
have the legal "right" to create a working exploit, without the risk
of being sued by Adobe (because of possible license issues and/or DMCA
violation)? The problem is that any *practical* exploit (based on that
vulnerability) could be considered as DMCA violation and so lead to
criminal case. That's not even under Adobe's control.

As for "is a license agreement violation and not a security issue":
license violation and security issue can co-exist without any
problems. If the license is a good "protection", what is DRM
(including Adobe's one, implemented in Acrobat software) for? If
Acrobat provides "Secure environment for eBook distribution", then any
protection violation/removal is definitely a security issue.
Otherwise, Adobe has to state that "eBook distribution environment is
protected by License Agreement", and we will not disturb them with
vulnerability reports anymore.

We continue to claim that current plug-in certification model is very
vulnerable, and using the flaws described, someone can confuse the user
by giving him a "forged" plug-in nobody will be able to detect
authorship of. Such plug-in, for example, can get unauthorized access
to protected content (or PDF documents or e-books). It is possible to
close this security hole, but Adobe, for some reason, would not like
to do that -- probably, to provide backward compatibility with old
plug-ins. But what what they really need to do is prohibit loading
uncertified plug-ins even into the full version of Adobe Acrobat, and
drop the "non-certified" mode completely.

Adobe representative also said:

"The reality is: There is no risk to users with this information that
is being posted."

This is correct. But our report is about *absolutely* different things. The
main risk is for *publishers* and 3rd party vendors developing plug-ins.
As we proved (and if needed, we can give additional proofs, if we can
get additional warranties that we will not be sued), *any* PDF-based
protection (using security handlers, according to Adobe's specification)
is absolutely not secure, and can be easily removed using the
vulnerability Adobe fails to fix for years.

Finally, Adobe says:

"we do not see any vulnerability and we are not issuing any patches or
updates based on this information. Our response is primarily going to
be education about how our product works, what it can be used for and
what the elements of the product do."

These are VERY BAD NEWS to all PDF developers and publishers. The
translation of the above statement: "we are not going to fix the
vulnerabilities in our software, we will just persuade our customers that
our software is secure".

For those who interested: Adobe is aware of all these problems not just for
two years,

If you're really curious how long Adobe's security problems are well-known
but still not being fixed, please read the following post:

http://www.google.com/groups?hl=en&lr=&ie=UTF-8&oe=UTF-8&selm=2000032...


Subject: Why not to use Glassbook

Newsgroups: alt.publish.books
Date: 2000/03/23 (!)

"With these files, any PDF file can be decrypted and disseminated in a form
that
actually honors the cross platform nature of PDF files."

This post is about e-books (EBX handler). This handler, very slightly
changed, now
called "Adobe DRM" (Digital Rights Management) and provides the same
"security"
as more than three years ago.

Thise is not the only problems in Adobe software that are still awaiting the
fixes.
For example, look at the following report (released a year ago):

Adobe Acrobat eBook Reader allows users to circumvent copying and printing
restrictions
http://www.kb.cert.org/vuls/id/438867

Adobe solution: "Adobe Acrobat eBook Reader" product has been terminated,
and ebook reading features are now integrated into Adobe Reader 6.0.
However,
lend/give functions (the ones that were vulnerable) have been totally
removed from
the software -- i.e. Adobe Reader 6.0 has *less* functionality than eBook
Reader.

Another report (published in March 2003):

Implementation flaws in Adobe Document Server for Reader Extensions
http://www.securityfocus.com/archive/1/313613

It is about "heavy" product that costs $75,000 and targeted to large
corporations
and government. However, Improper usage of cryptography in server software
allows anyone to produce reader-enabled documents without Document Server
for Reader Extensions.

There was no response from Adobe, and the problem is still there.

--
Sincerely yours,
  Vladimir

Vladimir Katalov
Managing Director
ElcomSoft Co.Ltd.
Member of Association of Shareware Professionals (ASP)
Member of Russian Cryptology Association

http://www.elcomsoft.com/adc.html (Advanced Disk Catalog)
http://www.elcomsoft.com/art.html (Advanced Registry Tracer)
http://www.elcomsoft.com/prs.html (Password Recovery Software)
http://www.mailutilities.com (Email Management Software)

 
 
 

1. Adobe, CERT post responses to recent PDF vulnerability report

Hi all,

Thought this might be of interest to the group...

The CERT Coordination Center, a major reporting center for
Internet security problems, has issued a Vulnerability Note
on the matter raised last week by ElcomSoft Co. Ltd.
regarding potential PDF security vulnerabilities. In
conjunction with the CERT posting, Adobe Systems has issued
its own official Vendor Statement on the recent allegations,
which it disputes as "theoretical" and "misleading."

Full story: http://www.planetpdf.com/mainpage.asp?webpageid=2910

Best,
Dan

Dan Shea - Planet PDF Evangelist

http://www.planetpdf.com/
http://www.pdfstore.com/
Planet PDF & PDF Store - A World of
Acrobat/PDF Resources & Software

2. Printing problem

3. Adobe releases Acrobat 5.x patch to fix security vulnerability

4. Send & Receive E-mail from PalmIII??

5. "MS Refutes Windows 'Spy Key'"

6. iris indigo boot problem

7. Adobe's reader can't open a protected PDF file

8. List of titles, wondering about validation

9. Adobe Acrobat and PDF security: no improvements for 2 years

10. Adobe Acrobat PDF Security

11. Full text of latest Elcomsoft ruling posted on Planet PDF

12. Aebpr - elcomsoft pdf cracker - workarounds ?

13. FBI Detains Russian Programmer in Adobe PDF Security Case