Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Security

Adobe Still Ignores Elcomsoft-Discovered Holes 305

evenprime writes "In 2001, Dmitry Sklyarov described vulnerabilities in Adobe Acrobat and Adobe Acrobat Reader while giving a talk at Defcon 9. As has been previously mentioned, Dmitry was arrested the day after this talk. He and his company Elcomsoft were charged with violating the DMCA. Now Elcomsoft have announced that Adobe, two years later, has still not patched these bugs."
This discussion has been archived. No new comments can be posted.

Adobe Still Ignores Elcomsoft-Discovered Holes

Comments Filter:
  • relapse (Score:5, Interesting)

    by mirko ( 198274 ) on Wednesday July 09, 2003 @03:56AM (#6398806) Journal
    They once warned them, then the public about their feeble rot13 encryption scheme.
    They got busted because of the DMCA.
    Now, they do it again.
    I guess Dmitri should avoid the USA during the next months, otherwise, he'll soon understand that in Soviet American Corps, sucees is not a matter of technical excellency but rather a matter of negociation skills and of litigation.
    So, why should Adobe managers solve this "bug" when they'll get promoted by complaining about a "criminal offense" ?

    (Note to the mods: I have been hard-working during 18 months in an American Corp, I know what it is about.)
    • Re:relapse (Score:5, Interesting)

      by Goldberg's Pants ( 139800 ) on Wednesday July 09, 2003 @04:08AM (#6398835) Journal
      It's a lot less effort to sic the lawyers on people than actually PATCH the vulnerability. Security through obscurity (and fear).

      Seriously, this isn't that surprising. Outside the tech sector, the Skylarov thing was largely ignored, and the Adobe vulnerability has been too. The sad thing is, as a writer, it pains me to see a format which is SUPPOSED to be secure be swiss cheesed. Would never use it myself, but Adobe are the real criminals in this. Defrauding people by saying "yes, this format is secure" when it quite obviously isn't.
      • Re:relapse (Score:5, Informative)

        by ClubStew ( 113954 ) on Wednesday July 09, 2003 @07:33AM (#6399382) Homepage
        No, the Portable Document Format (PDF) IS secure. The hole is actually in loading plugins at startup. While a plugin could, of course, modify the display or something of a PDF, the format itself is secure (at least as far as we know). Just FYI.
        • Re:relapse (Score:5, Insightful)

          by anagama ( 611277 ) <obamaisaneocon@nothingchanged.org> on Wednesday July 09, 2003 @12:12PM (#6401247) Homepage
          I think the prior poster was worried about having no control over distribution of his writings. And it sure looks like this vulnerability makes Adobe NOT do what Adobe says - that's like false advertising. Here's a quote from the report:

          However, using the vulnerability described above, the plug-in with forged signature can perform virtually everything, including but not limited to:
          - removing or modifying any restrictions (from copying text to Clipboard, printing etc) from the documents loaded into Adobe Acrobat or Adobe Reader;
          - remove any DRM (Digital Rights Management) schemes from PDF documents, regardless the encryption handler used -- WebBuy, InterTrust DocBox, Adobe DRM (EBX) etc;
          - modify or remove digital signatures used within a PDF document;
          - affect any/all other aspects of a document's confidentiality, integrity and authenticity.

      • up to version 6 (Score:5, Interesting)

        by mblase ( 200735 ) on Wednesday July 09, 2003 @07:34AM (#6399385)
        It's a lot less effort to sic the lawyers on people than actually PATCH the vulnerability. Security through obscurity (and fear)

        It's even more damning because Adobe just recently upgraded their PDF Reader software from version 5 to version 6, yet have failed to patch this particular problem. You'd think that somewhere among all the features (?) added between two major releases they'd have found time for this.
      • Re:relapse (Score:3, Insightful)

        by dnoyeb ( 547705 )
        NOTE: The main problem is they don't sic the lawyers, the lawyers sic themselves.

        The lawyers see this and get all huffy, and complain to management with a bunch of mumbojumbo and entice them into letting them sue. Its how they get paid. If they are not suing anyone their personal value decreases.

        If programmers took the same attitude, they would be complaining about the HOLE just as the lawyers complain about the information.
      • Re:relapse (Score:3, Funny)

        by Sloppy ( 14984 ) *
        Security through obscurity (and fear).
        Not just obscurity and fear. You're forgetting: surprise, ruthless efficiency, and an almost fanatical devotion to the Pope.
      • Re:relapse (Score:3, Insightful)

        by mentin ( 202456 )

        It's a lot less effort to sic the lawyers on people than actually PATCH the vulnerability. Security through obscurity

        There is nothing Adobe can do to fix this "vulnerability". Any software-based Digital Rights Management scheme is expected to be broken. Remember this is not "security through obscurity" but "DRM through obscurity." Good security is done through good math, but no math would get you good DRM. Any DRM app is finally based on obscurity and can be broken, the only difference between one app and

    • Re:relapse (Score:2, Interesting)

      by Surak ( 18578 ) *
      Wait.... I never caught this before...

      rot13?

      They seriously charged Dimitry with breaking ROT13 under the DMCA? This is not a joke? I always thought the people joking about breaking rot13 sigs and whatnot were kidding. Turns out its HHOS.

      Damn. rot13 barely qualifies as encryption.

    • by Anonymous Coward
      Adobe's response to the bug includes this gem:
      Exploits of this vulnerability violate the End User License Agreement included with Adobe Acrobat and Adobe Acrobat Reader.

      They say this as if it actually matters!
      • Answer them you didn't learn to read to lose your time reading such idiocies :)

        No, seriously : I'll only consider downmod fair if it's being done by a mod who can prove me he *always* read entire EULAs before agreeing :)
    • Re:relapse (Score:3, Insightful)

      by Alexander ( 8916 )
      "I have been hard-working during 18 months in an American Corp, I know what it is about."

      That's just about the silliest thing I've ever read there, Mirko. It would be just as silly for me to say "I've been to Paris twice, so I know what French people are all about, arrogant and stinky!"

      Please leave absurd generalizations to the trolls.

    • Re:relapse (Score:3, Insightful)

      Couldn't agree with you more, I'm quite convinced that American companies are all about taking the easy way, in technology and elsewhere. I can't tell you how many times my managers have tried to convince me "the right thing" was building a substandard product, or screwed up a product by doing something that SOUNDS good to a roomfull of suits but is in reality incredibly stupid and shortsighted.

      Engineers have to share some of the blame however, I can't tell you how many good engineers refuse to go in to ma
  • by mikeophile ( 647318 ) on Wednesday July 09, 2003 @03:56AM (#6398807)
    They have the DMCA to sue those who exploit it for a new source of revenue.

    Maybe more companies will bait their software with easy exploits to snare those who try to circumvent it

    If nothing else, it gives the companies an excuse to their shareholders for shoddy coding.

    • If I spread documents/e-books relying on such protection, I would not be a happy customer.

      Sure they can sue makers of commercial cracking programs, but fact remains that many people can use such programs to make 'illegal' copies of my documents. Suing with the DMCA doesn't make much change in that respect.
    • by ndogg ( 158021 ) <the.rhorn@NoSPAm.gmail.com> on Wednesday July 09, 2003 @05:09AM (#6398973) Homepage Journal
      If future commercial software relies on the law for its security rather than actual software security, this may be a good thing for open source. When that happens, we really can then say that OSS is truly more secure.
    • by Anonymous Coward
      If I was a book publisher I would think twice before using Adobe's ebook technology to release my titles. That should be enough incentive for Adobe to fix the vulnerability.

      Unless Adobe doesn't really care about the format. Maybe they just won't fix it because they expect Microsoft to take over the ebook market with its DRM plans.
  • by Anonymous Coward on Wednesday July 09, 2003 @03:58AM (#6398812)
    [...]may we ask who found those bugs again?
  • Bwahaha! (Score:5, Funny)

    by Quaoar ( 614366 ) on Wednesday July 09, 2003 @03:59AM (#6398813)
    Foolish PC users! Us Macintosh people will be entirely unaffected by these exploits... ...because Adobe is starting to stop making programs for mac... :(
    • Seriously? You gotta link? Adobe products have been one of the cornerstones of software applications for the Mac for many years.
    • Re:Bwahaha! (Score:3, Insightful)

      by Black Perl ( 12686 )
      I don't know if that last bit was a troll or not, if so you got some of us. Adobe will continue to make Mac programs for a long time. They are only dropping support for Premiere, because other products have taken over the high end and iMovie has taken over the low end of the video editing market. Hardly anybody uses Premiere anymore on a Mac.
  • by supersam ( 466783 ) on Wednesday July 09, 2003 @03:59AM (#6398816) Homepage
    ... of sweeping the bugs under the rug and ignoring that they exist while punishing the kid for pointing out the bugs.

    When those bugs crawl out from under the rug... that's when you start feeling the pinch... quite literally... coz they're nasty bugs that bite.
  • by Anonymous Coward on Wednesday July 09, 2003 @04:01AM (#6398822)
    ...if that isn't a new way of fixing bugs.

    Sueing the people until they stop caring and reporting them (the bugs).

    That amazon guy probably has already patented it.
  • by gfody ( 514448 ) * on Wednesday July 09, 2003 @04:01AM (#6398823)
    its just a way to trick acrobat into thinking your plugin is signed. if your installing a plugin for anything you should realize it will be executing on your computer and proceed with caution. its not the hosting app's job to make sure its plugins don't do anything they're not suppose to do (imo that responsibility should fall on the os, but thats mho) - so whatever extra security added by adobe to try and prevent untrusted plugins is pure gratis
    • Big vulnerability (Score:5, Informative)

      by m4g02 ( 541882 ) on Wednesday July 09, 2003 @04:08AM (#6398836)
      You missed the point, the vulnerability is a big one and doesnt involve the final user.

      As you may already know many companies use PDF to realse secure documents, this companies are confident that adobe security will keep the document as read only so no llama will make changes for fun or copy paste their info.

      But then we have this vulnerability where you can load a custom plugin in secure mod, this plug in could use all the privileges a secure plug in has, like for example saving an unencrypted version of the file or, why not, a pain text copy.

      This sound like a big vulnerability to me, but companies that use Acrobat are the ones that should be angry.

      • Re:Big vulnerability (Score:2, Informative)

        by Vandil X ( 636030 )

        ...companies are confident that adobe security will keep the document as read only so no llama will make changes for fun or copy paste their info.

        Any "secure" text-display is subject to modification, even by low-end computer users. It's as easy as pressing the Print Screen key and using a scanner with bundled consumer OCR software to convert the image back into paginated (and editable) text.

        The problem with the PDF security hole is moreso in the matter of digital signatures. If someone were to expl

    • I don't see this "vulnerability" as a problem. I quite often use Elcomsoft's utility to unprotect PDF files so I can fix them, or copy some text out. This "vulnerability" means that you can run plugins WITHOUT having them signed by Adobe. This is GREAT. We want to do this, we don't want Adobe to be decide what you can and can't do with your files. I can' think how this could hurt the end-user. You don't install Acrobat plugins that come in spam emails, you do it becasue you want the function (yeah, someone
      • Re:NOT a problem (Score:5, Informative)

        by Matrix272 ( 581458 ) on Wednesday July 09, 2003 @07:25AM (#6399346)
        This "vulnerability" means that you can run plugins WITHOUT having them signed by Adobe.

        THAT is the problem. Companies use Adobe Acrobat to create forms that should not be altered outside the company, like contracts, and send them to their customers to fill out. If said company can no longer trust that their customers won't be able to change text in their contract without notifying them, then Adobe Acrobat is completely meaningless.

        My last job was at an ISP that would create contracts and accounting papers in Acrobat, then send them to people to fill in certain information. Sometimes, the documents could be 30-50 pages in length. It obviously would take quite a long time to manually go through and verify that nothing inappropriate (i.e. the cost of getting out of the contract) would be changed. Of course, in that case, the company deserved whatever it got, but that's beside the point.
        • Re:NOT a problem (Score:3, Insightful)

          by 1u3hr ( 530656 )
          THAT is the problem. Companies use Adobe Acrobat to create forms that should not be altered outside the company, like contracts, and send them to their customers to fill out. If said company can no longer trust that their customers won't be able to change text in their contract without notifying them, then Adobe Acrobat is completely meaningless

          Well, I don't want to sound like a jerk, but it's not my problem, and security settings (often applied inappropriately or inadvertently) cause me a lot of hassles.

  • Excellent! (Score:5, Insightful)

    by Noryungi ( 70322 ) on Wednesday July 09, 2003 @04:06AM (#6398831) Homepage Journal
    As I have said before, one of my friend is blind.

    Have you got any idea how fscking difficult it is for the poor chap to read "protected"[1] PDF files? Trust me, it's pure hell!!

    At least, since Adobe has decided to pull an MS on its users and ignore known problems, maybe I'll be able to crack some of these protected files for my friend, so that he can read them.

    So, there are, er, ahem... unexpected benefits to this sh___y Adobe attitude...

    Just my US$ 0.02...

    [1] "Protected" as in: "can't print, can't copy, can't save as". Yes, Virginia, you can create that kind of PDF files!
    • Re:Excellent! (Score:5, Insightful)

      by ameoba ( 173803 ) on Wednesday July 09, 2003 @04:17AM (#6398853)
      The obvious thing to do is to sue Adobe since their free product discriminates against the blind.
      • Re:Excellent! (Score:5, Interesting)

        by Noryungi ( 70322 ) on Wednesday July 09, 2003 @04:30AM (#6398884) Homepage Journal
        The obvious thing to do is to sue Adobe since their free product discriminates against the blind.

        Bzzzzt! Wrong answer!

        1. Abobe is not responsible for the PDF files that are produced by its customers. The "basic" Adobe Acrobat Reader has all the functions necessary to export the document to text for instance. (In Acrobat Reader 5.0/Windows, click on File > Export Document to Text).
          But it is still possible to create a PDF file that does not allow any manipulation or export...
        2. Non-discrimination laws vs the blind only apply to some countries (AFAIK USA and -- maybe -- Spain). There is no such law in the country where my friend and I live.
        3. Do you have the kind of money that would be necessary to sue Adobe? Do you have enough money in your bank account that it would not matter to you if you actually lost the case? Hmmmm...? Maybe you do... but I don't.


        I am definitely going to order one of the Elcomsoft utility for my friend... ;-)
        • [Adobe] is not responsible for the PDF files that are produced by its customers.

          I agree that gun makers don't kill people. Still, I'd like to point out that just as makers of dangerous devices include copious warnings in the manuals, Adobe's manual writers could have warned users that fully restricted PDF files will often interfere with assistive technologies and prove less useful to people with vision problems.

          Non-discrimination laws vs the blind only apply to some countries (AFAIK USA and -- maybe

        • There is a PDF to Text convertor (sorry cant remember the exact name of the package) in Debian that allows that works with encrypted/protected files. You'ill have to do a little research but it is there and maybe even ported to Windows.
        • Re:Excellent! (Score:5, Informative)

          by Vendekkai ( 121853 ) on Wednesday July 09, 2003 @07:19AM (#6399315)
          Many of the assumptions in posts above are incorrect. I installed Acrobat 6 a month ago, and can verify these features.

          1. Acrobat has a read aloud function for the visually impaired. It's not perfect, a rather tinny voice, but it is functional. I, err, listened to a chapter or so of the latest Potter book (don't ask!) while driving, and could make perfect sense of the text to speech. This function is available when read access is given to the document.

          2. Adobe does warn people in the manual that pdfs are not very secure. They don't admit that Acrobat can be cracked, but the say something to the effect of "other pdf readers may not implement the pdf security features properly, and your secure document may not retain security with those readers." Of course, you can remove any pdf security with GhostScript, using a cracked dll.

          Vend Ekkai
          • It was trivial to obtain a cracked 3.1 reader that had disabled security. I had to do it once because I forgot the password I'd set myself! I assume It wouldn't be too hard for an updated reader. Of course, most PDF's you read are still 3.x comptatible, so it wouldn't matter.
          • Of course, you can remove any pdf security with GhostScript, using a cracked dll.

            You don't need to crack the dll - you could just take the open source version, change the source, and compile it.

            "Cracked dll" sounds sexier, I suppose ;) After all, only evil hackers would want to defeat "PDF security" :)

    • Re:Excellent! (Score:4, Interesting)

      by Kierthos ( 225954 ) on Wednesday July 09, 2003 @05:03AM (#6398965) Homepage
      Oddly enough, if you have the proper plug-in for Adobe Acrobat, you can take one of those "protected" files, extract all the pages to a separate file, and then save it. Had to do that at work when the clueless-as-hell customer gave us a file to print that was protected. (Furthermore, the customer didn't know how to "un-protect" it, and the person who did was on vacation.)

      In the off chance that doesn't work, you can import the file, page by page, into Photoshop and resave the pages. But that's really only an option with files that are fairly small in terms of page count.

      Kierthos
  • Sklyarov (Score:5, Informative)

    by AndrewHowe ( 60826 ) on Wednesday July 09, 2003 @04:11AM (#6398841)
    Even the article gets it wrong now.
    Sklyarov!
  • by dmeranda ( 120061 ) on Wednesday July 09, 2003 @04:21AM (#6398858) Homepage

    Perhaps Adobe should work with Lexmark to help them out with the crypto coding; you know, that great company that protects the consumer against accidentally using cheap ink [slashdot.org] with strong cryptographic chips. Then Adobe could not only provide a PDF option to prevent you from printing a document, they could also enforce that if printed, a PDF document will only be printed with 100%-genuine Lexmark toner. Oh, I see another option with Kodak here, perhaps by embedding RFID tags directly in that specical Kodak paper.

    BTW, did anyone notice that with the latest PDF specification, version 1.5, which corresponds to Acrobat 6, that they added verbage to the copyright/license part to enforce that all software which implements the PDF specification must obey all those stupid magic security bits? They claim the specification is open and free for anybody to develop software around it, but that since the "format" is copyrighted all independently developed software must obey their fragile DRM schemes. How in the world can they copyright a format; sure their specification is copyrighted being a printed work, but the "format"?

  • by t0qer ( 230538 ) on Wednesday July 09, 2003 @04:26AM (#6398872) Homepage Journal
    I don't think it is..

    Sure you have chapters, exact replication of your original document, DRM, cross platform, and other nifty features, but all this and more could be implemented using a combination of HTML, PHP, and java.

    For example, if I was going to sell some html online I could use the PHP application oscommerce to make sure I got paid, HTML for chapters and such, and java to disable people from simply copying and pasting the text somewhere it could be shared.

    Sure, it sounds really technical to the folks that are used to doing a "file>save>PDF" in acrobat. But I wouldn't think that it would be that much more difficult.
    • by agent dero ( 680753 ) on Wednesday July 09, 2003 @04:41AM (#6398909) Homepage
      As soon as you implement this, we can talk.

      Until Java is supported well cross-platform, and as soon as you can somehow get people to obey all your PHP-HTML-Java rules, then be queit.

      The beauty of PDF, is exactly it's name Portable Document Format just about every platform supports PDF in one form or another, besides a couple ignored security holes here and there, I think PDF is a functional format.

      You can have formatted text and images, looking the same on just about every platform that has a GUI.
    • HTML and others do not reproduce content as faithfully as PDF does. A better replacement is good old PostScript: the only downside of PS is that it takes up about 2.5 as much space as the equivalent PDF.

      Incidentally, does anyone know of any patents or copyrights on PS?
      • A better replacement is good old PostScript: the only downside of PS is that it takes up about 2.5 as much space as the equivalent PDF.

        Better than PS, why not use dvi? Definitely no royalties or patents here, and by the mere specification of it, device independent format, it is device, os, whatever independent and will look the same on anything that it is viewed on. Sure at this point it is implemented by TeX, but there is no one stopping it from being implemented elsewhere.
    • by Zeddicus_Z ( 214454 ) on Wednesday July 09, 2003 @05:38AM (#6399030) Homepage
      I work as an IT admin at a publishing company. We do several magazines covering various aspects of the IT industry. PDF's are vital to our production process. Why? Well, the two biggest reasons are;
      • When an advertiser sends your their ad as PDF, they can be almost 100% certain that it will appear on our systems exactly the same as it did on theirs.(*)
      • When we send our magazines off for printing, we can be almost 100% certain that what the printers see on their systems is what we saw on ours(**)
      Aside from the above, there are many other reasons why PDF is the industry standard in publishing (and, unlike Mac, it's a real standard. Once we weaned our designers off Apple and over to PC, they've been full of nothing but praise for the platform. Yep, that's right, we're a magazine publishing company that doesn't use Apple.)

      Despite your claims, HTML is never and will never be a means of displaying content the same way across multiple platforms. Heck, it wasn't even designed for that use in the first place. People try to make HTML-formatted content look exactly the same cross-platform, but when it changes layout at the even the slightest screen resolution change, it's a lost cause.

      I read the Elcomsoft post to bugtraq this afternoon, and I agree Adobe's attempt to fix the problem was, at best, a poor effort. However, their failure to fix a flaw in their application does not mean that companies can up and switch to formats that not only do not do the same basic job PDF does (consistent display cross platform), but don't even claim to do so.

      *Varibles such as colour saturation, monitor differences and even things as small as the level and angle of light being cast onto a monitor affect the display. However, this does not affect the printing process.
      **Once again, you have variables that are almost uncontrollable such as types of ink, non-PDF fuckups at the printer's end, etc.
      • Your post is interesting and informative, but slightly off-topic. It boils down to the fact that PDF is good for publishing industry. Sure, but the story is about ebooks.

        1) While PDF is a good solution (as I already said in another post) for remote printing, the applications supporting it (Acrobat Reader) are a very poor choice for well, reading. Reading ebooks in Acrobat Reader is like wiping your ass with emery paper. :)
        2) While HTML is a poor choice for publishers, a similar XML-based format could be ma
    • Isn't Acrobat VECTOR based? That's why the fonts don't pixelate no matter how far you zoom in or enlarge the document.

      How do you plan on doing that with HTML?
      • Isn't Acrobat VECTOR based? That's why the fonts don't pixelate no matter how far you zoom in or enlarge the document. How do you plan on doing that with HTML?

        PDF has many advantages, but that isn't one of them. You generally use vector fonts in HTML (such as Truetype Arial and Times). When I zoom a HTML page, the type stays smooth. However, graphics in HTML are only bitmap (jpeg, gif, png), and these may not scale so nicely. PDF generally includes images as jpegs, but also can have vector graphics.

        • by Rogerborg ( 306625 ) on Wednesday July 09, 2003 @07:26AM (#6399349) Homepage

          >You generally use vector fonts in HTML (such as Truetype Arial and Times).

          Sure, go ahead and specify those fonts. Is my Lynx text mode console browser going to render them? What you mean is that it should look as you intended on (e.g.) IE 6.0.2800.1106.xpsp2.030422-1633 on XP Home build 2002 SP1 English with the exact fonts that you had on your machine when you created it.

  • by torpor ( 458 ) <ibisumNO@SPAMgmail.com> on Wednesday July 09, 2003 @04:28AM (#6398876) Homepage Journal
    I, personally, would like to make my annoyance at this situation known.

    Who do we contact at Adobe? How do we make a serious stink about this? Are the board members of this company contactable somehow? I'd go to the effort of writing a decent letter explaining to them their stupidity and callousness, if I knew where to send it.
    • by lhbtubajon ( 469284 ) on Wednesday July 09, 2003 @04:35AM (#6398892)
      I believe that would be:

      brickwall@adobe.com
    • "Who do we contact at Adobe?"

      Their sales and marketing department.

      "How do we make a serious stink about this?"

      By not buying their products.
    • Before you contact Adobe and "make a serious stink"....

      Consider the irony that you will be complaining about how Adobe is authenticating the trustworthiness of plugins, based on misleading information in an angry rant from a very untrustworthy Russian company with a history discovering Adobe's vulnerabilities and then selling (for profit) exploit tools that exploit those vulnerabilities.

      What were you going to complain about again to Adobe's senior management... oh yes, it was "their stupidity and callou

  • by jsse ( 254124 ) on Wednesday July 09, 2003 @04:51AM (#6398934) Homepage Journal
    I once asked my boss why our company has to raise so many lawsuits each year. He told me under the influerence of a couple of beers that if we don't keep our lawyers busy they'd find something to sue us.

    "They're like guarddogs" after more beers "if you don't feed them well they might bite you one day"

    I know this is an unfair comparison. Accept my apology to all the faithful employees...I meant to those guarddogs.
  • by lavalyn ( 649886 ) on Wednesday July 09, 2003 @04:57AM (#6398947) Homepage Journal
    After all, we knew the DMCA would have this effect on companies and software, where bugfixes are unnecessary by litigation.

    Why fix software when we can send lawyers and make examples and burning effigies instead?
  • by jkrise ( 535370 ) on Wednesday July 09, 2003 @04:58AM (#6398951) Journal
    During every upgrade to a new Windows OS, we are advised [microsoft.com] to run a check for file viruses using anti-virus s/w. It's a tragedy that software exploits are described as viruses and linked to terrorists and success-haters. Why can't MS make newer releases of their OSes atleast immune to known viruses and the associated vulnerabilities???

    Every new release of s/w causes some code to break - a game here, a dll there, an application and so forth. The only thing that runs well on all flavours of MS OSes from DOS to XP is viruses!

    It's easier to obfuscate and profitable as well, apparently.
    • >> The only thing that runs well on all flavours of MS OSes from DOS to XP is viruses!

      You overrate viruses. Take it from someone who works at an AV company and who spent 2 years in the virus analysis team, roughly 90% of them fail to do part or all of what their writer intended to do.

      Viruses are not an exclusion to your law-of-patchiness.
  • by Futurepower(R) ( 558542 ) on Wednesday July 09, 2003 @06:13AM (#6399091) Homepage

    Very, very few people, apparently, have both technical knowledge and managerial knowledge.

    The problem mentioned in the Slashdot story appears to be that Bruce Chizen, Adobe president, is not prepared for the intellectual challenge of running a technical company. He's been a salesman and marketing manager [google.com] all his life. Now Adobe has become dependent on Acrobat [siliconvalley.com], and has a big customer for Acrobat, the IRS (U.S. Internal Revenue Service).

    It's amazing. The job pays extremely well [siliconvalley.com], even though the smart people [macworld.com] are gone, Adobe has laid off people, and the stock [yahoo.com] is slowly sliding.

    We live in a business climate in which a few people at the top make a huge amount of money, and other people suffer, even though they helped make the money.

    There seems to be a pattern with technological companies. The people who really understand the technology get tired and go on to other things, or are forced out of the company they founded (as was Jobs at Apple). Everyone pretends that nothing has happened, and the company runs on inertia for a while. With luck, the new managers, who try to hide the fact that they really don't understand what the company does, encounter a business upturn. But inside the company is dying.

    John Sculley was a sugar water salesman (Pepsi) before he came to Apple and forced Jobs out. Apple looked okay for a while, but slowly lost importance. Then Jobs came back, and Apple became very important.

    Adobe's Postscript is brilliant technology. Using Postscript to make PDF files is brilliant. Knowing what photo editing tools need to go into Photoshop requires deep technical understanding. Probably Bruce Chizen understands none of this. Can a manager run something he does not understand? No.
    • Of course a manager can't run something he doesn't understand. But modern business theory says that the product (or technology) doesn't matter. All that matters - all - is your cash-flow strategy. Of course, this theory couldn't possibly be wrong and responsible for the collapse of the domestic tech industry (or the economic depression in general). No, that must be because tech is "commoditizing" and there's nothing new to do, right?

      Of course, this doesn't work. Like outsourcing and moving jobs overseas t

    • by Anonymous Coward
      This is also part of the American way: Harvard Business School of Management started preaching a long time ago (late '70's to early '80's) that managers just didn't need to know anything technical about the business they were managing to run it effectively.

      Obviously this was good for Harvard business school graduates and, by association, for the Harvard business school itself, but it has been disastrous for American business.
      • Business schools have set models and techniques of management that are designed to be generic. You can't sell a product (generic business education) if it doesn't work in all fields. Business schools, IMHO, are a damn waste of time.

        Also, if you really want to make "managing" a profession, then the traditional hierarchy-of-power-implies-hierarchy-of-pay model where managers make more money than the people working for them doesn't make sense. It was designed in the days when managers worked their way up f
  • by Feldmrschl ( 79133 ) on Wednesday July 09, 2003 @06:40AM (#6399176) Homepage
    [monty python reference]

    DIMITRI: If you will not fix rot13 encryption, we shall publish an exploit!
    ADOBE LAWYER: You don't frighten us, Russian pig-dogs! Go and boil your bottom, sons of a silly person. I blow my nose at you, so-called Dimitri Hacker, you and all your silly Russian k-nnnnniggets. Thpppppt! Thppt!Thppt!
    SLASHDOT: What a strange company.
    DIMITRI: Now look here, my good man--
    ADOBE LAWYER: I don't wanna talk to you no more, you empty headed animal food trough wiper! I fart in your general direction! You mother was a hamster and your father smelt of elderberries!
    SLASHDOT: Is there someone else up there he could talk to?
    ADOBE LAWYER: No, now go away or I shall sue you a second time-a!
    ADOBE EMPLOYEE #1: I didn't know we were Idiots?
    ADOBE EMPLOYEE #2: Of course, why else do you think we are protecting this ridiculous algorithm?

    [/monty python reference]
  • by cenonce ( 597067 ) <anthony_t@@@mac...com> on Wednesday July 09, 2003 @07:03AM (#6399244)

    This really shouldn't surprise anyone. The DMCA gives companies a right to sue if you reverse engineer an encyption device. But the DMCA offers no protecting to the consumer by requireing a company to FIX the problem.

    Besides /., this story has not had a whole lot of publicity. Add to that the fact that most people wouldn't know how to decrypt the e-books (and, more importantly, probably don't all that much care), there really isn't much incentive for Adobe to fix it.

    The puzzling thing to me is that it seems like it really wouldn't cost all that much to fix. I mean, it is a patch afterall and every friggin time I start up Photoshop Elements it is downloading some update (though not sending any of my personal information... hehe!).

    IAAL, so what I start to think is: Does Adobe have any liability for failure to patch the software when an author loses money because his or her ebook is pirated? No doubt in advertising and selling the software, Adobe touted the encryption as a safety feature. Contributory infringement, maybe? Misrepresentation? A warranty theory? Hmm....

  • by pjrc ( 134994 ) <paul@pjrc.com> on Wednesday July 09, 2003 @07:04AM (#6399247) Homepage Journal
    Clearly, Elcom is attempting to characterize Adobe as having utterly ignored this problem. It does appear that they have been slow and unresponsive to input. But this message reads as a smear campaign against Adobe, attempting to distort the facts by mixing a new security advisory with a rant about how slow and unresponsive they have been.

    They characterize a new bug (oversight in the fix, see below) as having done absolutely nothing. Not very honest...

    I'm pretty impressed that slashdot didn't post the inaccurate "no improvements for 2 years" title, when it is clearly a fact (based on the text of the article) that Adobe added a new, stronger signing method in version 6, as a good-faith attempt to solve this problem. Yes, "2 years" appears to be true, but that's not the 2 years from July 2001 to July 2003 (today).

    Likewise, the statement at the top: "oftware released in 2003 contains vulnerabilities disclosured in 2001" gives the impression that the new version contains the exact same vulnerability, rather than an oversight in a major rework of the security mechanism that was intended to fix the bug.

    It sounds like Adobe really did try to fix the problem. They implemented a new, strong signing method. They even adandoned backwards compatibility and refuse to load the old, easily forged plugins when in certified mode. As Elcom's message explains, Acrobat 6 only allows "certified" mode if all the plugins have the new, strong signatures, or if all the plugins if finds have these signatures it automatically goes into certified mode.

    The real complaint appears to be an oversight that some undocument function, which is callable in uncertified mode by an unsigned plugin (or one of the legacy weakly authenticated plugins) can call this undocumented function and cause Acrobat to switch into certified mode. Quoting from the Elcom message:

    Therefore, if plug-in with "forged" certificate is loaded, it can patch the code of CTIsCertifiedMode function in memory, and so force Acrobat to believe that it works in "Certified" mode.

    So there you have it, a secutity real announcement, burried after a lengthy rant about how slow and unresponsive Adobe has been.

    Yes, Adobe has a bad attitude. Yes, they fscked up and their attempt to fix the problem still has an exploitable weakness. Ok, I can buy that Adode has a bad attitude.

    Elcom (or specifically, Vladimir Katalov) doesn't impress me much either, when it comes to attitude and standards of professional conduct. This angry rant attempts to paint a picture of Adobe has having still done utterly nothing to fix this problem... including a very misleading tital and summary.

    Katalov sinks to the tactic of use a embedded an advisory of a weakness to attract attention to an angry rant about his frustrations with Adobe's unresponsive history.

    • by pjrc ( 134994 ) <paul@pjrc.com> on Wednesday July 09, 2003 @07:25AM (#6399344) Homepage Journal
      Also, as long as Elcom is thowing stones of "Adobe is slow, unresponsive" and still has a weakness after their attempt to fix the problem, consider Elcom's standard of professional conduct:

      1. Discover weakness in Acrobat Reader
      2. Create exploit tool and sell it commercially
      3. Announce the exploit at Defcon and distribute some free copies of the polished, for-profit exploit
      4. Dmitry gets arrested, infamous DMCA case...
      5. Eventually report the bug to CERT, after Dmitry case resolved
      6. Adobe reworks plugin authentication/signing in next major release, but a flaw still remains where unsigned plugins can patch Acrobat's in-memory image and obtain unathorized privs (CERT avdisory only covers signing weakness)
      7. Elcom complains that Adobe has ignored problem and done nothing.

      The DMCA sucks, Adobe is unresponsive, and Dmitry shoulda been released promptly.... but regardless of all that, everybody should remember that we're dealing with a for-profit company that discovered weaknesses and first created and SOLD for-profit exploits and went on a campaign to promote it... and only reported to CERT after a legal battle that forced them to pull their commercial exploit product from the market.

      • /.

        You acuse others of misleading statements... but I was actually at defcon9, and was in the audience during Dmitry's presentation. I think you were not.

        Elcomsoft did not sell an exploit tool. They sold a companion product for a flawed piece of commercial software. (Just like the companies that sell antiviruses for windows.) This product allowed users to exercise their legal rights under Russian law.

        Dmitry did not "announce the exploit at defcon". He gave a presentation detailing weaknesses in a com
    • Adobe is selling a lie. You can't promise a "secure" digital format. If you give me a buch of bytes, I can change it. Hell, if you give me a piece of paper, I can change it. All you can do about it is offer a reference and detect the change. Even then, someone might sneak in and change your reference. The whole secure digital thing is bullshit.
  • by Eivind ( 15695 ) <eivindorama@gmail.com> on Wednesday July 09, 2003 @07:08AM (#6399268) Homepage
    This is not surprising. What Adobe is trying to do is fundamentally impossible to do as long as the users still have ultimate control over their computers.

    Adobe is trying to tell customers that they have a format in which you can send a document to someone, and that document will only be readable on that one computer, or will not be printable, or will not be copyable to the clipboard or whatever.

    This is fundamentally impossible. If my computer can display the document on screen for me, then this means that the computer MUST have all the required information to do so. This includes any and all secret keys if the document is encrypted and so on.

    This implies that the computer also has all the info needed to print the document, or copy it to the clipboard or whatever. Now, Adobes product could only work if the computer "knew" how to do this, but refused to do it anyway, in other words, if the computer was not obeying the end-user.

    This is possible with secure hardware and similar that refuse to run code that is not digitally signed by the real master (not the end-user and owner!). But with the current computers that happily run anything you the user want in priviledged mode it is not possible.

    Sure they could, and probably should, patch this spesific hole. But there's nothing Adobe can do to make they so-called "secure pdf" actually do what they claim it will do. And they know it.

    • This is possible with secure hardware and similar that refuse to run code that is not digitally signed by the real master

      No, even that will be defeated. The digital signature is checked only once (it would be ridiculous to re-check it, say, before executing each instruction). There's a billion different ways you can take advantage of this. Say, for example, some code is loaded into RAM and its signature is checked. Now, all you have to do is replace the "validated" program with your own code in RAM. Supp

  • by ipour ( 177686 ) * on Wednesday July 09, 2003 @08:04AM (#6399536)
    Too many people don't pay attention to where their plug-ins and other downloads come from - that is where a big part of the problem starts. End users need to own up to that fact that when a warning comes up about an unsigned or questionable certificate, they need to ask some serious questions before installing.

    Sure, Adobe still has a "vulnerability" in the strict sense of the word, and if they want to continue marketing a weak security product, that is their business. In my opinion, their inspired release of Acrobat Elements will make Adobe a bigger player and Acrobat a major product. Going in to this with a problem is just bad business and will not help them. And whacking the messenger with the DMCA is definitely not a solution!
  • by irving47 ( 73147 ) on Wednesday July 09, 2003 @09:11AM (#6399941) Homepage
    Thank God they only do media-like applications. Imagine what would happen if they were responsible for system-level applications or the operating system. A company that drags its feet to this degree in patching security holes could really be a problem. I just can't imagine what that would be like. Can you?

  • by Len ( 89493 ) on Wednesday July 09, 2003 @09:49AM (#6400237)
    can they be charged under the PATRIOT Act?
  • by August_zero ( 654282 ) on Wednesday July 09, 2003 @02:18PM (#6402242)
    Someone explain to me what it is exactly we are supposed to do concerning security issues when the following seems to be the standard M.O.:

    1)Create Buggy Software
    2)Prosecute anybody who finds these bugs.
    3)?????
    4)Profit!!!

    Why not just pass a law a to make it illegal to complain?
  • Typically Adobe... (Score:3, Interesting)

    by writermike ( 57327 ) on Wednesday July 09, 2003 @05:17PM (#6403647)
    My first thought after reading this was that the company was embarrassed and didn't want to admit to the bugs.

    But then I realized something...

    I've worked in companies which were active beta and alpha testers for adobe software of all kinds, but especially for the print industry.

    Adobe rarely admits bugs. Period. As long as the problem is not a show-stopper (or is an obscure show-stopper), it will rarely get fixed. It _may_ get a mention in the knowledgebase, but this is not a given.

    There are still things plauging the printing industry in multiple versions of multiple Adobe products -- Acrobat, Illustrator, Indesign, etc.

    So, no, it's not a surpise that Adobe didn't fix this. They don't fix much.

"I'm a mean green mother from outer space" -- Audrey II, The Little Shop of Horrors

Working...