Bug 480800 - (CVE-2008-5331) CVE-2008-5331 acroread: more efficient password encryption
CVE-2008-5331 acroread: more efficient password encryption
Status: CLOSED CANTFIX
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
http://nvd.nist.gov/nvd.cfm?cvename=C...
impact=moderate,source=adobe,reported...
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-01-20 11:58 EST by Josh Bressers
Modified: 2010-12-23 22:34 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-12-23 22:34:14 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Josh Bressers 2009-01-20 11:58:54 EST
Adobe Acrobat 9 uses more efficient encryption than previous versions, which makes it easier for attackers to guess a document's password via a brute-force attack.

http://www.elcomsoft.com/PR/apdfpr_081126_en.pdf
http://blogs.adobe.com/security/2008/12/acrobat_9_and_password_encrypt.html
http://www.securityfocus.com/bid/32610
Comment 1 Vincent Danen 2010-12-23 22:34:14 EST
I'm not sure I buy into this.  Sounds like the people making the claims that it's easier to brute-force passwords in Acrobat 9 are selling a product to do that.  Marketing gimmick?  Maybe.  Anyways, upstream does not consider this to be a vulnerability as noted in the blog post above, it's up to the user to use a decent password or it doesn't matter what kind of encryption is used.  If you use the password "cat" you've pretty much sunk your own ship.  Encryption strength, or lack thereof, really doesn't have much to do when you're brute-forcing a password and Acrobat 9 is using 256-bit AES vs 128-bit AES in previous versions.

Ultimately, if Adobe doesn't think this is an issue to fix, we certainly can't fix it due to the closed-source nature of the product.  So I am closing this bug in light of this.

Note You need to log in before you can comment on or make changes to this bug.