J-Security Center

Latest Attack Object Updates
  • IDP Daily Update #1537
    posted: 11/06/09
  • NSM Daily Update #1537
    posted: 11/06/09
  • Deep Inspection 5.3r5 and above, 5.4, 6.0 #1537
    posted: 11/06/09
  • Deep Inspection 5.1 and 5.2 #1435
    posted: 11/06/09
  • Deep Inspection 5.0, 5.3r4 and below #1132
    posted: 03/28/08 (04/01/08 for 5.0)
  • Antivirus
    posted: 11/05/09

Title: Adobe eBook Reader File Transfer Authorization Voucher Weak Algorithm Vulnerability

Severity: MODERATE

Description:

Adobe eBook Reader is a client side application which is able to view Adobe eBooks, available for Microsoft Windows and Macintosh OS 9. eBooks are electronic books which provide some protection for content. Users may own and view a book, but have limited rights to transfer the content.

Reportedly, an eBook may be transferred to a different computer by backing up the book content and a number of datafiles. When the eBook is opened, however, the user will be prompted for a new authorization voucher, and given a challenge string. Normally, the user must contact Adobe for an updated voucher response.

It has been reported that the encryption scheme used for this challenge / response cycle is fundamentally flawed. Allegedly, both the challenge and response can be computed using commonly available cryptographic algorithms. Additionally, the secret information required to generate both strings is stored within the eBook Reader executable file, which is available to the local user.

Full details on the algorithms used have not been provided. It is not unreasonable, however, to assume that a skilled attacker could derive the details of the algorithm through experimentation.

As a result, a malicious user may freely transfer eBook content between computers.

Affected Products:

  • Adobe eBook Reader for Mac OS 9 2.1.0
  • Adobe eBook Reader for Mac OS 9 2.2.0
  • Adobe eBook Reader for Windows 2.1.0
  • Adobe eBook Reader for Windows 2.2.0

References:

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.