Elcomsoft bypasses Adobe with bug report

Following previous bad experiences with Adobe, the Russian software company chose to make public a flaw in Content Server 3.0 rather than report it to Adobe first

The Russian company that discovered a crack in Adobe's eBook software has spurned common practice by going public with a hole it found in Adobe Content Server 3.0 rather than reporting the bug to the US software company first.

Elcomsoft's decision was prompted by previous bad experiences with Adobe. At the end of a description of the vulnerability, which was posted on BugTraq, Elcomsoft's Vladimir Katalov said; "Some time ago we have found much more serious problem with another Adobe software and reported it to the vendor; however, there was no response at all, and so we decided not to waste our time reporting this one (about the library) to Adobe."

Elcomsoft leapt to fame when one of its developers, Dmitry Sklyarov, was arrested last year during a Las Vegas security convention after giving a speech about the company's new Advanced eBook Processor software. Processor cracked the encryption on Adobe Systems' eBooks software, and is not illegal under Russian law. But because the software had briefly been for sale on the Internet, Adobe urged US authorities to arrest Sklyarov under the controversial DMCA legislation, which makes it illegal to develop technology that circumvents copyright locks.

The latest flaw discovered in Adobe software by Elcomsoft allows a visitor to implement something similar to a denial of service attack against a Web site set up by Adobe to demonstrate the new library features of Adobe Content Server 3.0.

Adobe has placed several books in the library, with five copies of each available for download. But, according to Katalov, there are three vulnerabilities: it is possible for one person to get all available copies of a single book; the loan period is not verified, and when the counter reaches zero the Library still allows a copy of the book to be added to the "bookbag".

"By combining (these) bugs, it is very easy to implement something like Denial-of-service attack for the library," wrote Katalov in his warning. "Just get all copies of all books from the library (for very large period of time -- e.g. a few years). So no books will be available to anybody else."

Katalov added a fix to his posting for the bug, and at the time of writing Adobe appeared to have applied the fix. An Adobe spokesperson said in a statement that the company would evaluate the report but would would not discuss the measures it takes as a result. "Security is an ongoing effort," she said. "We are committed to strengthening the security of our products by using sophisticated, industry-standard levels of software encryption and working with the software community, including 'White Hat' security experts, to incorporate features to advance the quality of our products. However, no software is 100 percent secure from determined hackers.

Earlier this year a group of software companies met to hammer out the last details of an initiative to set guidelines for reporting software flaws that affect Internet security. The Organization for Internet Safety sprung from discussions between Microsoft and a handful of security companies on the responsible reporting of software bugs, known as vulnerabilities, that affect a business' security. Delaying the disclosure of vulnerabilities and urging legitimate researchers to allow software makers time to fix software problems before they're made public could play a large role in limiting the effect of newly discovered vulnerabilities in software products, said the group.

See the Software News Section for the latest headlines on everything from peer to peer clients to Office software and beyond.

Have your say instantly, and see what others have said. Go to the ZDNet news forum.

Let the editors know what you think in the Mailroom.