While Adobe has been playing cop with onerous DRM, it allegedly has neglected some security essentials. Hackers theoretically may be able to zap or change information in your system if you’re using Acrobat 6.0 or Reader 6.0. So the accusations go.
Planet PDF quotes the respected CERT Coordination Center:
“Attackers that can convince users to download and install malicious programs (non-certified plug-ins) may be able to execute arbitrary code on the user’s system. Executing arbitrary code may allow an attacker to display false information when reporting document information and circumvent digital rights management features that prevent printing, copying of text, etc. This can only happen via non-certified plug-ins installed in a plug_ins directory when the ‘Use Only Certified Plug-ins’ checkbox is turned off, the default state in Adobe Acrobat 6.0 and Adobe Reader 6.0.”
Oh, and along the way, CERT also questioned the effectiveness of Adobe’s digital rights features:
“Digital content providers can not rely on plug-in cryptographic verification mechanisms to prevent attackers from gaining certain rights. These rights include printing, copying of text, and other digital-rights-management features when the attacker is able to access legitimately decrypted documents and the attacker has control of the local system. Note this can happen regardless of the plug-in architecture used. The ability for any application to protect such rights is dependent on the underlying operating system architecture, not application architecture.”
Adobe has issued a issued a response to the vulnerability complaints, which originated from ElcomSoft–yep, the outfit that in the past has cracked Adobe’s software, and that employed the programmer who once faced jail time. Again, however, remember that CERT is a security center and has no affiliation with ElcomSoft. If CERT is right about a problem existing, this is more than just a squabble between two companies.
Meanwhile, for those interested in the details of the problem and fixes, Planet PDF has published links to CERT documents and related articles.
