Adobe DoS vulnerability exposed

Elcomsoft, the Russian company facing criminal charges for the creation of tools to circumvent Adobe's eBook software, has published details of further holes in Adobe's products.

On Friday the firm - which employs programmer Dmitri Sklyarov, who was at the heart of the investigation into Elcomsoft's breach of the Digital Millennium Copyright Act (DMCA) - posted details of yet more vulnerabilities in the eBook software.

Elcomsoft made postings to the BugTraq and Vuln-dev security mailing lists without notifying Adobe first.

"Some time ago we found much more serious problems with another [piece of] Adobe software and reported it to the vendor; however, there was no response at all, so we decided not to waste our time reporting this one [the problem with the library] to Adobe," the company said.

In the postings Vladimir Katalov, managing director of Elcomsoft, released methods of breaking security features on Adobe's eBook Library system.

The eBook Library is designed to be a secure repository for eBooks and allows users to 'borrow' titles for a specified number of days. Working just like a real library, other users cannot borrow the same book until the lease period is up.

But Katalov identified a method of borrowing all the books in the library for an unlimited time period, effectively a denial of service (DoS) attack against the eBook Library.

"It is very easy to implement something like a "denial of service" attack for the library: just get all copies of all books from the library so ... no books will be available to anybody else. Besides, there is ability to borrow the books for unlimited time," said Katalov.

The attacks can also be carried out by modifying scripts on the eBook Library website, meaning that no special tools are needed.

Two months ago a federal judge denied Elcomsoft's request to dismiss charges against it for breaching the DMCA, meaning the company now faces a criminal trial for its previous actions.