> ___ Adobe refutes Elcomsoft's vulnerability report on PDF security ___
> Adobe's John Landwehr, Group Manager for Security Solutions
> and Strategy, labels recent allegations by ElcomSoft about
> vulnerabilities in PDF security as 'theoretical, inaccurate
> and misleading.' No patch or update is required, he says.
Actually, *Adobe* is publishing misleading information.
If Adobe consider this vulnerability to be "theoretical", can they give
the warranties to some independent developer (security expert) so he will
have the legal "right" to create a working exploit, without the risk
of being sued by Adobe (because of possible license issues and/or DMCA
violation)? The problem is that any *practical* exploit (based on that
vulnerability) could be considered as DMCA violation and so lead to
criminal case. That's not even under Adobe's control.
As for "is a license agreement violation and not a security issue":
license violation and security issue can co-exist without any
problems. If the license is a good "protection", what is DRM
(including Adobe's one, implemented in Acrobat software) for? If
Acrobat provides "Secure environment for eBook distribution", then any
protection violation/removal is definitely a security issue.
Otherwise, Adobe has to state that "eBook distribution environment is
protected by License Agreement", and we will not disturb them with
vulnerability reports anymore.
We continue to claim that current plug-in certification model is very
vulnerable, and using the flaws described, someone can confuse the user
by giving him a "forged" plug-in nobody will be able to detect
authorship of. Such plug-in, for example, can get unauthorized access
to protected content (or PDF documents or e-books). It is possible to
close this security hole, but Adobe, for some reason, would not like
to do that -- probably, to provide backward compatibility with old
plug-ins. But what what they really need to do is prohibit loading
uncertified plug-ins even into the full version of Adobe Acrobat, and
drop the "non-certified" mode completely.
Adobe representative also said:
"The reality is: There is no risk to users with this information that
is being posted."
This is correct. But our report is about *absolutely* different things. The
main risk is for *publishers* and 3rd party vendors developing plug-ins.
As we proved (and if needed, we can give additional proofs, if we can
get additional warranties that we will not be sued), *any* PDF-based
protection (using security handlers, according to Adobe's specification)
is absolutely not secure, and can be easily removed using the
vulnerability Adobe fails to fix for years.
Finally, Adobe says:
"we do not see any vulnerability and we are not issuing any patches or
updates based on this information. Our response is primarily going to
be education about how our product works, what it can be used for and
what the elements of the product do."
These are VERY BAD NEWS to all PDF developers and publishers. The
translation of the above statement: "we are not going to fix the
vulnerabilities in our software, we will just persuade our customers that
our software is secure".
For those who interested: Adobe is aware of all these problems not just for
If you're really curious how long Adobe's security problems are well-known
but still not being fixed, please read the following post:
Subject: Why not to use Glassbook
Date: 2000/03/23 (!)
"With these files, any PDF file can be decrypted and disseminated in a form
actually honors the cross platform nature of PDF files."
This post is about e-books (EBX handler). This handler, very slightly
called "Adobe DRM" (Digital Rights Management) and provides the same
as more than three years ago.
Thise is not the only problems in Adobe software that are still awaiting the
For example, look at the following report (released a year ago):
Adobe Acrobat eBook Reader allows users to circumvent copying and printing
Adobe solution: "Adobe Acrobat eBook Reader" product has been terminated,
and ebook reading features are now integrated into Adobe Reader 6.0.
lend/give functions (the ones that were vulnerable) have been totally
the software -- i.e. Adobe Reader 6.0 has *less* functionality than eBook
Another report (published in March 2003):
Implementation flaws in Adobe Document Server for Reader Extensions
It is about "heavy" product that costs $75,000 and targeted to large
and government. However, Improper usage of cryptography in server software
allows anyone to produce reader-enabled documents without Document Server
for Reader Extensions.
There was no response from Adobe, and the problem is still there.
Member of Association of Shareware Professionals (ASP)
Member of Russian Cryptology Association
http://www.elcomsoft.com/adc.html (Advanced Disk Catalog)
http://www.elcomsoft.com/art.html (Advanced Registry Tracer)
http://www.elcomsoft.com/prs.html (Password Recovery Software)
http://www.mailutilities.com (Email Management Software)