Adobe Acrobat & PDF security

By Thomas McGuire on July 13, 2003, 7:13 AM
Adobe Acrobat & PDF security: no improvements for 2 years. Software released in 2003 contains vulnerabilities disclosured in 2001.

Summary
In early 2001, we have discovered a serious security flaw in Adobe Acrobat & Adobe Acrobat Reader. In July'2001, we've briefly described it in "eBook Security: Theory & Practice" speech on DefCon security conference. Since there was no reaction from Adobe (though Adobe representative has attended the conference), we have reported this vulnerability to CERT in September'2002 (after more than a year), still not disclosing technical details to the public. Only in March'2003, CERT Vulnerability Note (VU#549913) has been published, & after a week, Adobe has responded officially (for the first time) issuing the Vendor Statement (JSHA-5EZQGZ), promising to fix the problem in new versions of Adobe Acrobat & Adobe Reader software expected in the second quarter of 2003. When these versions became available, we have found that though some minor improvements have been made, the whole Adobe security model is still very vulnerable, & so sent a follow-up to both CERT & Adobe. Both parties failed to respond.

Below is the full story.




Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.