Adobe Acrobat 9 uses more efficient encryption than previous versions, which makes it easier for attackers to guess a document's password via a brute-force attack. http://www.elcomsoft.com/PR/apdfpr_081126_en.pdf http://blogs.adobe.com/security/2008/12/acrobat_9_and_password_encrypt.html http://www.securityfocus.com/bid/32610
I'm not sure I buy into this. Sounds like the people making the claims that it's easier to brute-force passwords in Acrobat 9 are selling a product to do that. Marketing gimmick? Maybe. Anyways, upstream does not consider this to be a vulnerability as noted in the blog post above, it's up to the user to use a decent password or it doesn't matter what kind of encryption is used. If you use the password "cat" you've pretty much sunk your own ship. Encryption strength, or lack thereof, really doesn't have much to do when you're brute-forcing a password and Acrobat 9 is using 256-bit AES vs 128-bit AES in previous versions. Ultimately, if Adobe doesn't think this is an issue to fix, we certainly can't fix it due to the closed-source nature of the product. So I am closing this bug in light of this.