Adobe Acrobat and PDF security: no improvements for 2 years

In early 2001, we have discovered a serious security flaw in Adobe Acrobat and Adobe Acrobat Reader. In July’2001, we’ve briefly described it in “eBook Security: Theory and Practice” speech on DefCon security conference. Since there was no reaction from Adobe (though Adobe representative has attended the conference), we have reported this vulnerability to CERT in September’2002 (after more than a year), still not disclosing technical details to the public. Only in March’2003, CERT Vulnerability Note (VU#549913) has been published, and after a week, Adobe has responded officially (for the first time) issuing the Vendor Statement (JSHA-5EZQGZ), promising to fix the problem in new versions of Adobe Acrobat and Adobe Reader software expected in the second quarter of 2003. When these versions became available, we have found that though some minor improvements have been made, the whole Adobe security model is still very vulnerable, and so sent a follow-up to both CERT and Adobe. Both parties failed to respond.