The flaws could allow someone to check out every copy of every book in Adobe's new electronic library for an unlimited amount of time by changing the values in the loan form. However, the bugs were discovered on an Adobe test Web site that demonstrates how the software could be used to set up a lending library--not an actual site that offers books--and ElcomSoft gives information about how to fix the flaws.
The Russian software company reported the problem to the Bugtraq list without first telling Adobe about it because, it said, the company has been reluctant to fix other flaws.
ElcomSoft said it had discovered a "more serious problem with another Adobe software and reported it to the vendor; however, there was no response at all, and so we decided not to waste our time reporting this one (about the library) to Adobe."
The move comes just a month before ElcomSoft is set to faceon criminal copyright charges related to cracking Adobe's eBook software. The case first made headlines a year ago, when federal agents arrested ElcomSoft employee after he gave a speech about his company's software, which could crack protections on Adobe's eBooks. Sklyarov spent several weeks in jail. Prosecutors eventually dropped the charges against him in exchange for his testimony, but ElcomSoft remains on trial.
An Adobe spokeswoman said the company was still evaluating the report but that security precautions prevent Adobe from further discussing the measures it was taking.
"We are committed to strengthening the security of our products by using sophisticated, industry-standard levels of software encryption and working with the software community, including 'White Hat' security experts, to incorporate features to advance the quality of our products," Adobe spokeswoman Layla McHale said. "However, no software is 100 percent secure from determined hackers."