Adobe Still Ignores Elcomsoft-Discovered Holes 305
evenprime writes "In 2001, Dmitry Sklyarov
described vulnerabilities in Adobe
Acrobat and Adobe Acrobat Reader while
giving a talk at
Defcon 9.
As has
been
previously
mentioned, Dmitry was arrested the day after this talk. He and his company Elcomsoft were charged with violating the DMCA. Now Elcomsoft have announced that
Adobe, two years later,
has still not patched these bugs."
relapse (Score:5, Interesting)
They got busted because of the DMCA.
Now, they do it again.
I guess Dmitri should avoid the USA during the next months, otherwise, he'll soon understand that in Soviet American Corps, sucees is not a matter of technical excellency but rather a matter of negociation skills and of litigation.
So, why should Adobe managers solve this "bug" when they'll get promoted by complaining about a "criminal offense" ?
(Note to the mods: I have been hard-working during 18 months in an American Corp, I know what it is about.)
Re:relapse (Score:5, Interesting)
Seriously, this isn't that surprising. Outside the tech sector, the Skylarov thing was largely ignored, and the Adobe vulnerability has been too. The sad thing is, as a writer, it pains me to see a format which is SUPPOSED to be secure be swiss cheesed. Would never use it myself, but Adobe are the real criminals in this. Defrauding people by saying "yes, this format is secure" when it quite obviously isn't.
Re:relapse (Score:5, Informative)
Re:relapse (Score:5, Insightful)
However, using the vulnerability described above, the plug-in with forged signature can perform virtually everything, including but not limited to:
- removing or modifying any restrictions (from copying text to Clipboard, printing etc) from the documents loaded into Adobe Acrobat or Adobe Reader;
- remove any DRM (Digital Rights Management) schemes from PDF documents, regardless the encryption handler used -- WebBuy, InterTrust DocBox, Adobe DRM (EBX) etc;
- modify or remove digital signatures used within a PDF document;
- affect any/all other aspects of a document's confidentiality, integrity and authenticity.
up to version 6 (Score:5, Interesting)
It's even more damning because Adobe just recently upgraded their PDF Reader software from version 5 to version 6, yet have failed to patch this particular problem. You'd think that somewhere among all the features (?) added between two major releases they'd have found time for this.
Re:relapse (Score:3, Insightful)
The lawyers see this and get all huffy, and complain to management with a bunch of mumbojumbo and entice them into letting them sue. Its how they get paid. If they are not suing anyone their personal value decreases.
If programmers took the same attitude, they would be complaining about the HOLE just as the lawyers complain about the information.
Re:relapse (Score:3, Funny)
Re:relapse (Score:3, Insightful)
There is nothing Adobe can do to fix this "vulnerability". Any software-based Digital Rights Management scheme is expected to be broken. Remember this is not "security through obscurity" but "DRM through obscurity." Good security is done through good math, but no math would get you good DRM. Any DRM app is finally based on obscurity and can be broken, the only difference between one app and
Re:relapse (Score:2, Interesting)
rot13?
They seriously charged Dimitry with breaking ROT13 under the DMCA? This is not a joke? I always thought the people joking about breaking rot13 sigs and whatnot were kidding. Turns out its HHOS.
Damn. rot13 barely qualifies as encryption.
Re:relapse (Score:4, Informative)
you can read about it here [cert.org]
That'll Stop Em! (Score:2, Funny)
Exploits of this vulnerability violate the End User License Agreement included with Adobe Acrobat and Adobe Acrobat Reader.
They say this as if it actually matters!
Re:That'll Stop Em! (Score:2)
No, seriously : I'll only consider downmod fair if it's being done by a mod who can prove me he *always* read entire EULAs before agreeing
Re:relapse (Score:3, Insightful)
That's just about the silliest thing I've ever read there, Mirko. It would be just as silly for me to say "I've been to Paris twice, so I know what French people are all about, arrogant and stinky!"
Please leave absurd generalizations to the trolls.
Re:relapse (Score:3, Insightful)
Engineers have to share some of the blame however, I can't tell you how many good engineers refuse to go in to ma
What motivation do they have to fix it? (Score:5, Insightful)
Maybe more companies will bait their software with easy exploits to snare those who try to circumvent it
If nothing else, it gives the companies an excuse to their shareholders for shoddy coding.
Re:What motivation do they have to fix it? (Score:2)
Sure they can sue makers of commercial cracking programs, but fact remains that many people can use such programs to make 'illegal' copies of my documents. Suing with the DMCA doesn't make much change in that respect.
This may be good for OSS (Score:4, Interesting)
Re:This may be good for OSS (Score:5, Funny)
Well, you COULD say that, but then you'd be violating the DMCA, and they'd have to put you away.
Re:This may be good for OSS (Score:3, Interesting)
Re:What motivation do they have to fix it? (Score:2, Interesting)
Unless Adobe doesn't really care about the format. Maybe they just won't fix it because they expect Microsoft to take over the ebook market with its DRM plans.
Response from Adobe Lawyer... (Score:5, Funny)
Bwahaha! (Score:5, Funny)
Re:Bwahaha! (Score:2)
Re:Bwahaha! (Score:3, Informative)
Seriously! [slashdot.org]
Re:Bwahaha! (Score:3, Informative)
Re:Bwahaha! (Score:3, Insightful)
This is the perfect example... (Score:5, Funny)
When those bugs crawl out from under the rug... that's when you start feeling the pinch... quite literally... coz they're nasty bugs that bite.
Re:This is the perfect example... (Score:5, Funny)
Do you think you could mix any more metaphors into that post, please?
Possibly a case of the baby calling the kettle black, though
Re:This is the perfect example... (Score:2, Funny)
now he has to lie in it.
Re:This is the perfect example... (Score:3, Funny)
Well, well... (Score:5, Funny)
Sueing the people until they stop caring and reporting them (the bugs).
That amazon guy probably has already patented it.
Re:Well, well... (Score:2, Funny)
Oh, but amazons are girls, not guys.
(OK, offtopic.. humor me..)
Re:Well, well... (Score:2)
Surely there must be a roughly equal amount of amazon boys as well as girls, otherwise the species would die out.
Re:Well, well... (Score:3, Funny)
not much of a vulnerability (Score:4, Informative)
Big vulnerability (Score:5, Informative)
As you may already know many companies use PDF to realse secure documents, this companies are confident that adobe security will keep the document as read only so no llama will make changes for fun or copy paste their info.
But then we have this vulnerability where you can load a custom plugin in secure mod, this plug in could use all the privileges a secure plug in has, like for example saving an unencrypted version of the file or, why not, a pain text copy.
This sound like a big vulnerability to me, but companies that use Acrobat are the ones that should be angry.
Re:Big vulnerability (Score:2, Informative)
Any "secure" text-display is subject to modification, even by low-end computer users. It's as easy as pressing the Print Screen key and using a scanner with bundled consumer OCR software to convert the image back into paginated (and editable) text.
The problem with the PDF security hole is moreso in the matter of digital signatures. If someone were to expl
NOT a problem (Score:2)
Re:NOT a problem (Score:5, Informative)
THAT is the problem. Companies use Adobe Acrobat to create forms that should not be altered outside the company, like contracts, and send them to their customers to fill out. If said company can no longer trust that their customers won't be able to change text in their contract without notifying them, then Adobe Acrobat is completely meaningless.
My last job was at an ISP that would create contracts and accounting papers in Acrobat, then send them to people to fill in certain information. Sometimes, the documents could be 30-50 pages in length. It obviously would take quite a long time to manually go through and verify that nothing inappropriate (i.e. the cost of getting out of the contract) would be changed. Of course, in that case, the company deserved whatever it got, but that's beside the point.
Re:NOT a problem (Score:3, Insightful)
Well, I don't want to sound like a jerk, but it's not my problem, and security settings (often applied inappropriately or inadvertently) cause me a lot of hassles.
Re:NOT a problem (Score:3, Insightful)
I'm irritated at "security" being shoehorned into a DTP appliction. Also, since it isn;t secure abyway (as the article), it's just maiking me waste my time and only providing you with imaginary security.
If the "securing" stage is too irritating or annoying, why don't you use Microsoft Word or OpenOffice Writer or something that doesn't have those options?
Because those applications are quite useless for DTP.
I use PDF because it's part
Excellent! (Score:5, Insightful)
Have you got any idea how fscking difficult it is for the poor chap to read "protected"[1] PDF files? Trust me, it's pure hell!!
At least, since Adobe has decided to pull an MS on its users and ignore known problems, maybe I'll be able to crack some of these protected files for my friend, so that he can read them.
So, there are, er, ahem... unexpected benefits to this sh___y Adobe attitude...
Just my US$ 0.02...
[1] "Protected" as in: "can't print, can't copy, can't save as". Yes, Virginia, you can create that kind of PDF files!
Re:Excellent! (Score:5, Insightful)
Re:Excellent! (Score:5, Interesting)
Bzzzzt! Wrong answer!
But it is still possible to create a PDF file that does not allow any manipulation or export...
I am definitely going to order one of the Elcomsoft utility for my friend...
Gun makers don't kill people but do print manuals (Score:2)
[Adobe] is not responsible for the PDF files that are produced by its customers.
I agree that gun makers don't kill people. Still, I'd like to point out that just as makers of dangerous devices include copious warnings in the manuals, Adobe's manual writers could have warned users that fully restricted PDF files will often interfere with assistive technologies and prove less useful to people with vision problems.
Non-discrimination laws vs the blind only apply to some countries (AFAIK USA and -- maybe
Re:Excellent! (Score:2)
Re:Excellent! (Score:5, Informative)
1. Acrobat has a read aloud function for the visually impaired. It's not perfect, a rather tinny voice, but it is functional. I, err, listened to a chapter or so of the latest Potter book (don't ask!) while driving, and could make perfect sense of the text to speech. This function is available when read access is given to the document.
2. Adobe does warn people in the manual that pdfs are not very secure. They don't admit that Acrobat can be cracked, but the say something to the effect of "other pdf readers may not implement the pdf security features properly, and your secure document may not retain security with those readers." Of course, you can remove any pdf security with GhostScript, using a cracked dll.
Vend Ekkai
Re:Excellent! (Score:2)
"cracked" dll? (Score:3, Insightful)
Of course, you can remove any pdf security with GhostScript, using a cracked dll.
You don't need to crack the dll - you could just take the open source version, change the source, and compile it.
"Cracked dll" sounds sexier, I suppose ;) After all, only evil hackers would want to defeat "PDF security" :)
Re:Excellent! (Score:4, Interesting)
In the off chance that doesn't work, you can import the file, page by page, into Photoshop and resave the pages. But that's really only an option with files that are fairly small in terms of page count.
Kierthos
Sklyarov (Score:5, Informative)
Sklyarov!
Re:Sklyarov (Score:3, Funny)
Re:Sklyarov (Score:2)
It's all a conspiracy to halve his google-ranking.
Team up with Lexmark? (Score:5, Insightful)
Perhaps Adobe should work with Lexmark to help them out with the crypto coding; you know, that great company that protects the consumer against accidentally using cheap ink [slashdot.org] with strong cryptographic chips. Then Adobe could not only provide a PDF option to prevent you from printing a document, they could also enforce that if printed, a PDF document will only be printed with 100%-genuine Lexmark toner. Oh, I see another option with Kodak here, perhaps by embedding RFID tags directly in that specical Kodak paper.
BTW, did anyone notice that with the latest PDF specification, version 1.5, which corresponds to Acrobat 6, that they added verbage to the copyright/license part to enforce that all software which implements the PDF specification must obey all those stupid magic security bits? They claim the specification is open and free for anybody to develop software around it, but that since the "format" is copyrighted all independently developed software must obey their fragile DRM schemes. How in the world can they copyright a format; sure their specification is copyrighted being a printed work, but the "format"?
Re:Team up with Lexmark? (Score:5, Insightful)
Acrobat isn't so wonderful... (Score:5, Interesting)
Sure you have chapters, exact replication of your original document, DRM, cross platform, and other nifty features, but all this and more could be implemented using a combination of HTML, PHP, and java.
For example, if I was going to sell some html online I could use the PHP application oscommerce to make sure I got paid, HTML for chapters and such, and java to disable people from simply copying and pasting the text somewhere it could be shared.
Sure, it sounds really technical to the folks that are used to doing a "file>save>PDF" in acrobat. But I wouldn't think that it would be that much more difficult.
Re:Acrobat isn't so wonderful... (Score:5, Insightful)
Until Java is supported well cross-platform, and as soon as you can somehow get people to obey all your PHP-HTML-Java rules, then be queit.
The beauty of PDF, is exactly it's name Portable Document Format just about every platform supports PDF in one form or another, besides a couple ignored security holes here and there, I think PDF is a functional format.
You can have formatted text and images, looking the same on just about every platform that has a GUI.
Re:Always looks the same: like shit (Score:2, Funny)
Fight the power, man!
Re:Always looks the same: like shit (Score:3, Insightful)
Adding artificial limitations to computer programs is stupid. PDF format is evil and serves little valid purposes. One of them is remote printing - sending an electronic copy to someone else, who can print it and have the print layout preserved. But if you need to print the document, you can probably get it in
Unfortunately, most people don'
Re:Acrobat isn't so wonderful... (Score:2, Insightful)
Incidentally, does anyone know of any patents or copyrights on PS?
Re:Acrobat isn't so wonderful... (Score:3, Interesting)
Better than PS, why not use dvi? Definitely no royalties or patents here, and by the mere specification of it, device independent format, it is device, os, whatever independent and will look the same on anything that it is viewed on. Sure at this point it is implemented by TeX, but there is no one stopping it from being implemented elsewhere.
Re:Acrobat isn't so wonderful... (Score:5, Informative)
- When an advertiser sends your their ad as PDF, they can be almost 100% certain that it will appear on our systems exactly the same as it did on theirs.(*)
- When we send our magazines off for printing, we can be almost 100% certain that what the printers see on their systems is what we saw on ours(**)
Aside from the above, there are many other reasons why PDF is the industry standard in publishing (and, unlike Mac, it's a real standard. Once we weaned our designers off Apple and over to PC, they've been full of nothing but praise for the platform. Yep, that's right, we're a magazine publishing company that doesn't use Apple.)Despite your claims, HTML is never and will never be a means of displaying content the same way across multiple platforms. Heck, it wasn't even designed for that use in the first place. People try to make HTML-formatted content look exactly the same cross-platform, but when it changes layout at the even the slightest screen resolution change, it's a lost cause.
I read the Elcomsoft post to bugtraq this afternoon, and I agree Adobe's attempt to fix the problem was, at best, a poor effort. However, their failure to fix a flaw in their application does not mean that companies can up and switch to formats that not only do not do the same basic job PDF does (consistent display cross platform), but don't even claim to do so.
*Varibles such as colour saturation, monitor differences and even things as small as the level and angle of light being cast onto a monitor affect the display. However, this does not affect the printing process.
**Once again, you have variables that are almost uncontrollable such as types of ink, non-PDF fuckups at the printer's end, etc.
Re:Acrobat isn't so wonderful... (Score:3, Insightful)
1) While PDF is a good solution (as I already said in another post) for remote printing, the applications supporting it (Acrobat Reader) are a very poor choice for well, reading. Reading ebooks in Acrobat Reader is like wiping your ass with emery paper.
2) While HTML is a poor choice for publishers, a similar XML-based format could be ma
Re:Acrobat isn't so wonderful... (Score:2)
How do you plan on doing that with HTML?
Re:Acrobat isn't so wonderful... (Score:3, Insightful)
PDF has many advantages, but that isn't one of them. You generally use vector fonts in HTML (such as Truetype Arial and Times). When I zoom a HTML page, the type stays smooth. However, graphics in HTML are only bitmap (jpeg, gif, png), and these may not scale so nicely. PDF generally includes images as jpegs, but also can have vector graphics.
Re:Acrobat isn't so wonderful... (Score:5, Insightful)
>You generally use vector fonts in HTML (such as Truetype Arial and Times).
Sure, go ahead and specify those fonts. Is my Lynx text mode console browser going to render them? What you mean is that it should look as you intended on (e.g.) IE 6.0.2800.1106.xpsp2.030422-1633 on XP Home build 2002 SP1 English with the exact fonts that you had on your machine when you created it.
Who do we contact at Adobe? (Score:5, Insightful)
Who do we contact at Adobe? How do we make a serious stink about this? Are the board members of this company contactable somehow? I'd go to the effort of writing a decent letter explaining to them their stupidity and callousness, if I knew where to send it.
Re:Who do we contact at Adobe? (Score:5, Funny)
brickwall@adobe.com
Re:Who do we contact at Adobe? (Score:2)
Their sales and marketing department.
"How do we make a serious stink about this?"
By not buying their products.
Re:Who do we contact at Adobe? (Score:3, Insightful)
Consider the irony that you will be complaining about how Adobe is authenticating the trustworthiness of plugins, based on misleading information in an angry rant from a very untrustworthy Russian company with a history discovering Adobe's vulnerabilities and then selling (for profit) exploit tools that exploit those vulnerabilities.
What were you going to complain about again to Adobe's senior management... oh yes, it was "their stupidity and callou
They've to keep the lawsuits rolling (Score:5, Funny)
"They're like guarddogs" after more beers "if you don't feed them well they might bite you one day"
I know this is an unfair comparison. Accept my apology to all the faithful employees...I meant to those guarddogs.
And the /. community says I told you so (Score:5, Insightful)
Why fix software when we can send lawyers and make examples and burning effigies instead?
Microsoft does the same... and profits!! (Score:5, Interesting)
Every new release of s/w causes some code to break - a game here, a dll there, an application and so forth. The only thing that runs well on all flavours of MS OSes from DOS to XP is viruses!
It's easier to obfuscate and profitable as well, apparently.
Re:Microsoft does the same... and profits!! (Score:2, Informative)
You overrate viruses. Take it from someone who works at an AV company and who spent 2 years in the virus analysis team, roughly 90% of them fail to do part or all of what their writer intended to do.
Viruses are not an exclusion to your law-of-patchiness.
Re:Microsoft does the same... and profits!! (Score:5, Interesting)
No, I don't. To put things in perspective, a virus is actually a software exploit of a bug in the OS and components. Immunity to a s/w virus does not mean deleting the instance or occurence of the virus, it means correcting the code which caused the virus to work in the first place!
We've been conditioned into thinking that viruses are external to the OS and can't be prevented, only cured by yet another piece of s/w. It's difficult to appreciate the sloppiness of code that gets passed thru generations of Windoze without fixing of bugs.
In short, I don't mean "Built-in anti-virus software" but "Removal of bugs in code with each new code version atleast".
Re:Microsoft does the same... and profits!! (Score:2)
As far as I know, most viruses in their execution work using common OS scripts and commands. It's something where the fix will be worse than the cure.
And I think MS is doing something just like that anyway. Isn't that what Longhorn is going to be?
(Not that I support Longhorn, it's going to be a monumental flop, but I digress)
How viruses spread and how to prevent it (Score:3, Insightful)
As far as I know, most viruses in their execution work using common OS scripts and commands.
As far as I know, most Windows viruses can't spread without either 1. opening an outgoing connection on SMTP's port, 2. telling Outlook to open an outgoing connection on SMTP's port, or 3. opening executables installed by the administrator for writing. Not giving unknown programs the capability [eros-os.org] to do this would stop viruses from spreading. This is possible even in a Windows environment: don't allow unknown progra
Re:How viruses spread and how to prevent it (Score:3, Interesting)
Tech supports solution is "run as
Re:Microsoft does the same... and profits!! (Score:2, Interesting)
This is the case for trojans, viruses spreading by mail (I should say "via Outlook"). For those I have to agree with you.
But I'm used to think about virus in terms of a little (native) piece of code which replicates by copying itself in another piece of code. From that perspective, I can't see any other solution than breaking everything at each new release, or embedding a antivirus into the OS.
Some years ago, viruses were writte
Re:Microsoft does the same... and profits!! (Score:3, Interesting)
Assembler? Bah! Assembler generates too much bloat.
Real viruses are handcoded in hexadecimal and 'compiled' with debug.
Those were the days.
And you're right, what he's saying doesn't make too much sense in the context of that sort of virus - although having an actual security model like real operating systems hampers them, it can't prevent them.
But take a look at the crap that passes for viruses these days. 99.9% of it won't work even on my windows machine, simply because it is completely devoid of m
Re:Microsoft does the same... and profits!! (Score:2)
A virus is *actually* a piece of code that cannot run on its own, but instead must be within a host file. A virus also always replicates itself my infecting other files. (if it can run on its own, it's a worm. If it doesn't replicate, it's a patch).
And viruses don't "exploit bugs" at all. They simple append their code into a file (usually the beginning) or into a file (unused code, etc) and then "point" the program to run that code. Save deleting every executeable on the system, or
Re:Microsoft does the same... and profits!! (Score:4, Insightful)
1) It (has been/is) relatively uncommon. The old Mac OS had a couple hundred native viruses, compared to the tens of thousande for MS OSes. It's not because they were less vulnerable, it's because they were less common. Now, extrapolate from the 95/5% usage patterns of Windows 3.1/Mac OS 7, and try to figure out howmany viruses the old
2) Huge variety of platforms. The same compiled code that runs on an PA-RISC machine will not run under Sparc, MIPS, POWER, etc. Add into that the wide variety of OSes on each platform (Sparc Linux, Solaris, Sparc NetBSD) and you have a relatively low concentration of machines vulnerable to any given exploit.
3) Different users. The dicks who write virii are usually not going to be the same people that administer a machine for a living, they're going to be the 20-year-old college kid with too much time on his hands. They have access to a Windows machine, but probably not high-level access to a *NIX machine.
4) Most virii we see now are not OS-targetted. Sure, it may use Win32 functions, but it's really an Outlook virus. Or a Word virus.
5) Low chance for inter-machine interaction. What's the chance that a Windows machine will be talking to another Windows machine? Wost users are on a Windows machine, so the list of possible transmission vectors is immense compared to those for other platforms.
Sure, the security model in UNIX is more thorough than that of Windows. Still, there have been a fair number of root exploits in common daemons lately that would allow a worm/virus to spread - but because of the above reasons, UNIX just isn't a good target for a virus writer.
Most people can't do both. (Score:5, Interesting)
Very, very few people, apparently, have both technical knowledge and managerial knowledge.
The problem mentioned in the Slashdot story appears to be that Bruce Chizen, Adobe president, is not prepared for the intellectual challenge of running a technical company. He's been a salesman and marketing manager [google.com] all his life. Now Adobe has become dependent on Acrobat [siliconvalley.com], and has a big customer for Acrobat, the IRS (U.S. Internal Revenue Service).
It's amazing. The job pays extremely well [siliconvalley.com], even though the smart people [macworld.com] are gone, Adobe has laid off people, and the stock [yahoo.com] is slowly sliding.
We live in a business climate in which a few people at the top make a huge amount of money, and other people suffer, even though they helped make the money.
There seems to be a pattern with technological companies. The people who really understand the technology get tired and go on to other things, or are forced out of the company they founded (as was Jobs at Apple). Everyone pretends that nothing has happened, and the company runs on inertia for a while. With luck, the new managers, who try to hide the fact that they really don't understand what the company does, encounter a business upturn. But inside the company is dying.
John Sculley was a sugar water salesman (Pepsi) before he came to Apple and forced Jobs out. Apple looked okay for a while, but slowly lost importance. Then Jobs came back, and Apple became very important.
Adobe's Postscript is brilliant technology. Using Postscript to make PDF files is brilliant. Knowing what photo editing tools need to go into Photoshop requires deep technical understanding. Probably Bruce Chizen understands none of this. Can a manager run something he does not understand? No.
Re:Most people can't do both. (Score:3, Insightful)
Of course a manager can't run something he doesn't understand. But modern business theory says that the product (or technology) doesn't matter. All that matters - all - is your cash-flow strategy. Of course, this theory couldn't possibly be wrong and responsible for the collapse of the domestic tech industry (or the economic depression in general). No, that must be because tech is "commoditizing" and there's nothing new to do, right?
Of course, this doesn't work. Like outsourcing and moving jobs overseas t
Re:Most people can't do both. (Score:2, Informative)
Obviously this was good for Harvard business school graduates and, by association, for the Harvard business school itself, but it has been disastrous for American business.
Symptomatic of "managing" as a profession (Score:3, Insightful)
Also, if you really want to make "managing" a profession, then the traditional hierarchy-of-power-implies-hierarchy-of-pay model where managers make more money than the people working for them doesn't make sense. It was designed in the days when managers worked their way up f
Adobe's Response (Score:5, Funny)
DIMITRI: If you will not fix rot13 encryption, we shall publish an exploit!
ADOBE LAWYER: You don't frighten us, Russian pig-dogs! Go and boil your bottom, sons of a silly person. I blow my nose at you, so-called Dimitri Hacker, you and all your silly Russian k-nnnnniggets. Thpppppt! Thppt!Thppt!
SLASHDOT: What a strange company.
DIMITRI: Now look here, my good man--
ADOBE LAWYER: I don't wanna talk to you no more, you empty headed animal food trough wiper! I fart in your general direction! You mother was a hamster and your father smelt of elderberries!
SLASHDOT: Is there someone else up there he could talk to?
ADOBE LAWYER: No, now go away or I shall sue you a second time-a!
ADOBE EMPLOYEE #1: I didn't know we were Idiots?
ADOBE EMPLOYEE #2: Of course, why else do you think we are protecting this ridiculous algorithm?
[/monty python reference]
DMCA = right to sue, != requirement to fix (Score:5, Insightful)
This really shouldn't surprise anyone. The DMCA gives companies a right to sue if you reverse engineer an encyption device. But the DMCA offers no protecting to the consumer by requireing a company to FIX the problem.
Besides /., this story has not had a whole lot of publicity. Add to that the fact that most people wouldn't know how to decrypt the e-books (and, more importantly, probably don't all that much care), there really isn't much incentive for Adobe to fix it.
The puzzling thing to me is that it seems like it really wouldn't cost all that much to fix. I mean, it is a patch afterall and every friggin time I start up Photoshop Elements it is downloading some update (though not sending any of my personal information... hehe!).
IAAL, so what I start to think is: Does Adobe have any liability for failure to patch the software when an author loses money because his or her ebook is pirated? No doubt in advertising and selling the software, Adobe touted the encryption as a safety feature. Contributory infringement, maybe? Misrepresentation? A warranty theory? Hmm....
Misleading title, misleading hype... (Score:5, Informative)
They characterize a new bug (oversight in the fix, see below) as having done absolutely nothing. Not very honest...
I'm pretty impressed that slashdot didn't post the inaccurate "no improvements for 2 years" title, when it is clearly a fact (based on the text of the article) that Adobe added a new, stronger signing method in version 6, as a good-faith attempt to solve this problem. Yes, "2 years" appears to be true, but that's not the 2 years from July 2001 to July 2003 (today).
Likewise, the statement at the top: "oftware released in 2003 contains vulnerabilities disclosured in 2001" gives the impression that the new version contains the exact same vulnerability, rather than an oversight in a major rework of the security mechanism that was intended to fix the bug.
It sounds like Adobe really did try to fix the problem. They implemented a new, strong signing method. They even adandoned backwards compatibility and refuse to load the old, easily forged plugins when in certified mode. As Elcom's message explains, Acrobat 6 only allows "certified" mode if all the plugins have the new, strong signatures, or if all the plugins if finds have these signatures it automatically goes into certified mode.
The real complaint appears to be an oversight that some undocument function, which is callable in uncertified mode by an unsigned plugin (or one of the legacy weakly authenticated plugins) can call this undocumented function and cause Acrobat to switch into certified mode. Quoting from the Elcom message:
So there you have it, a secutity real announcement, burried after a lengthy rant about how slow and unresponsive Adobe has been.
Yes, Adobe has a bad attitude. Yes, they fscked up and their attempt to fix the problem still has an exploitable weakness. Ok, I can buy that Adode has a bad attitude.
Elcom (or specifically, Vladimir Katalov) doesn't impress me much either, when it comes to attitude and standards of professional conduct. This angry rant attempts to paint a picture of Adobe has having still done utterly nothing to fix this problem... including a very misleading tital and summary.
Katalov sinks to the tactic of use a embedded an advisory of a weakness to attract attention to an angry rant about his frustrations with Adobe's unresponsive history.
Re:Misleading title, misleading hype... (Score:5, Insightful)
The DMCA sucks, Adobe is unresponsive, and Dmitry shoulda been released promptly.... but regardless of all that, everybody should remember that we're dealing with a for-profit company that discovered weaknesses and first created and SOLD for-profit exploits and went on a campaign to promote it... and only reported to CERT after a legal battle that forced them to pull their commercial exploit product from the market.
I believe your allegations are false. (Score:3, Informative)
You acuse others of misleading statements... but I was actually at defcon9, and was in the audience during Dmitry's presentation. I think you were not.
Elcomsoft did not sell an exploit tool. They sold a companion product for a flawed piece of commercial software. (Just like the companies that sell antiviruses for windows.) This product allowed users to exercise their legal rights under Russian law.
Dmitry did not "announce the exploit at defcon". He gave a presentation detailing weaknesses in a com
Let's really be honest. (Score:3, Informative)
unsurprising and unfixable (Score:5, Insightful)
Adobe is trying to tell customers that they have a format in which you can send a document to someone, and that document will only be readable on that one computer, or will not be printable, or will not be copyable to the clipboard or whatever.
This is fundamentally impossible. If my computer can display the document on screen for me, then this means that the computer MUST have all the required information to do so. This includes any and all secret keys if the document is encrypted and so on.
This implies that the computer also has all the info needed to print the document, or copy it to the clipboard or whatever. Now, Adobes product could only work if the computer "knew" how to do this, but refused to do it anyway, in other words, if the computer was not obeying the end-user.
This is possible with secure hardware and similar that refuse to run code that is not digitally signed by the real master (not the end-user and owner!). But with the current computers that happily run anything you the user want in priviledged mode it is not possible.
Sure they could, and probably should, patch this spesific hole. But there's nothing Adobe can do to make they so-called "secure pdf" actually do what they claim it will do. And they know it.
Re:unsurprising and unfixable (Score:3, Insightful)
No, even that will be defeated. The digital signature is checked only once (it would be ridiculous to re-check it, say, before executing each instruction). There's a billion different ways you can take advantage of this. Say, for example, some code is loaded into RAM and its signature is checked. Now, all you have to do is replace the "validated" program with your own code in RAM. Supp
What about the end user's responsibility? (Score:5, Insightful)
Sure, Adobe still has a "vulnerability" in the strict sense of the word, and if they want to continue marketing a weak security product, that is their business. In my opinion, their inspired release of Acrobat Elements will make Adobe a bigger player and Acrobat a major product. Going in to this with a problem is just bad business and will not help them. And whacking the messenger with the DMCA is definitely not a solution!
Their area of expertise... (Score:5, Funny)
If they're using the DMCA to hide security holes.. (Score:3, Funny)
Do they really need us anymore? (Score:3, Insightful)
1)Create Buggy Software
2)Prosecute anybody who finds these bugs.
3)?????
4)Profit!!!
Why not just pass a law a to make it illegal to complain?
Typically Adobe... (Score:3, Interesting)
But then I realized something...
I've worked in companies which were active beta and alpha testers for adobe software of all kinds, but especially for the print industry.
Adobe rarely admits bugs. Period. As long as the problem is not a show-stopper (or is an obscure show-stopper), it will rarely get fixed. It _may_ get a mention in the knowledgebase, but this is not a given.
There are still things plauging the printing industry in multiple versions of multiple Adobe products -- Acrobat, Illustrator, Indesign, etc.
So, no, it's not a surpise that Adobe didn't fix this. They don't fix much.
Re:YOU ARE ALL GOAT FUCKERS!!! (Score:5, Funny)
I think this must be the official reply from the Adobe spokesperson.