Adobe Acrobat & PDF security: no improvements for 2 years. Software released in 2003 contains vulnerabilities disclosured in 2001.

In early 2001, we have discovered a serious security flaw in Adobe Acrobat & Adobe Acrobat Reader. In July'2001, we've briefly described it in "eBook Security: Theory & Practice" speech on DefCon security conference. Since there was no reaction from Adobe (though Adobe representative has attended the conference), we have reported this vulnerability to CERT in September'2002 (after more than a year), still not disclosing technical details to the public. Only in March'2003, CERT Vulnerability Note (VU#549913) has been published, & after a week, Adobe has responded officially (for the first time) issuing the Vendor Statement (JSHA-5EZQGZ), promising to fix the problem in new versions of Adobe Acrobat & Adobe Reader software expected in the second quarter of 2003. When these versions became available, we have found that though some minor improvements have been made, the whole Adobe security model is still very vulnerable, & so sent a follow-up to both CERT & Adobe. Both parties failed to respond.

Below is the full story.