ElcomSoft reports alleged vulnerabilities in Adobe's eBook Library
Distributed on BugTraq and VulnWatch email lists
12 July 2002
By Kurt Foss, Planet PDF Editor
A "bug and vulnerability" report citing alleged weaknesses in Adobe Systems' eBook Library was distributed today on BugTraq and VulnWatch, two popular broadcast email lists that monitor such matters. The report was submitted by ElcomSoft Co. Ltd., the Moscow, Russia-based software company currently facing criminal indictment for reported DMCA violations -- stemming from its development and marketing last year of Advanced eBook Processor, software capable of decrypting Adobe PDF-based eBooks. Adobe had reported ElcomSoft to the federal government, which led to the arrest last July of ElcomSoft programmer Dmitry Sklyarov. That pending case -- charges are now against the company rather than the single employee -- goes to court August 26 in a California District Court.
ElcomSoft's newly issued report includes a description of several vulnerabilities it says exist in the new library features of Adobe's Content Server 3.0, announced last month as a way for libraries to expand eBook availability:
"According to the Adobe description, the Adobe eBook Library uses Adobe Content Server as a secure repository for the eBooks."
"There are a few books available -- 5 copies of each. The customer can borrow any book for a fixed period of time (one or three days); when one customer gets a book, the counter ('number of books available') is decreased, and when it reaches zero, this book becomes not available until at least one other customer will return it to the library, or loan period will expire."
ElcomSoft further describes three specific vulnerabilities, suggesting that it's possible to get all available copies of any book, that the loan period is not verified and that a user can still obtain copies of a book when the book counter reaches zero. ElcomSoft says these flaws make it possible for someone to "implement something like 'Denial-of-service' attack for the library" so that no books would be available to others.
The report, authored by ElcomSoft's Vladimir Katalov, also includes the following statement:
"Some time ago we have found much more serious problem with another
Adobe software and reported it to the vendor; however, there was no
response at all, and so we decided not to waste our time reporting
this one (about the library) to Adobe."
In the eBook decryption case for which the company faces criminal charges in the U.S., ElcomSoft initially stated that it had reported flaws in Adobe's PDF eBook security to Adobe, but received no response. Adobe has repeatedly said they received no such communication from ElcomSoft on the previous allegations. ElcomSoft told Planet PDF today that the statement about "another Adobe software" was not a reference to last year's PDF security allegations.
"This is not about Advanced eBook Processor (AEBPR)," says ElcomSoft president Alexander Katalov, suggesting that his company has "already reported some bugs and vulnerabilities" to Adobe recently, adding that ElcomSoft has a "large collection of flaws in Adobe software."
Asked about the new eBook Library report distributed today, Adobe offered the following official statement:
"Adobe will evaluate this report, as we do any report we receive. For security reasons, Adobe can't discuss the measures we take as a result. Security is an ongoing effort. We are committed to strengthening the security of our products by using sophisticated, industry-standard levels of software encryption and working with the software community, including 'White Hat' security experts, to incorporate features to advance the quality of our products. However, no software is 100 percent secure from determined hackers."