3

Recently, I stumbled upon a way to reset the software trial of any product under the adobe suite. It's as simple as changing some attributes within a few files. I'm assuming that it can be deemed an issue because it shows no signs of piracy (such as a replaced .dll). On their website they have a program set up only for web app vulnerabilities to be reported, and they have a contact email for program vulnerabilities. They also have a bug/feature request forum, but I do not want to put this exploit on there.

Would this exploit be considered a program vulnerability? Would Adobe take a look at the exploit that I found and patch it? Should I not bother reporting it?

AndrolGenhald
  • 15,436
  • 5
  • 45
  • 50
rolexgold18
  • 55
  • 1
  • 5
    Contact [Adobe’s Product Security Incident Response Team (PSIRT)](https://blogs.adobe.com/psirt/). They have also a [PGP key](https://pgp.mit.edu/pks/lookup?op=vindex&search=0xA8F655F734755964) for a confidential disclosure. – Gumbo Jul 11 '15 at 08:39
  • 8
    I very much doubt a licensing workaround would be considered a security issue. All licensing schemes can be worked around—the Copy Protection Problem being, by nature, unsolvable—so making contravention incrementally more difficult by throwing more resources at an ever-escalating arms race isn't a viable strategy. – bobince Jul 12 '15 at 12:28

1 Answers1

-1

My 2 cents (even though this is an old, and probably un-monitored, thread).

Organizations don't invest in effort unless it has some return. Let's see if putting effort on closing this vulnerability has any return or not.

This vulnerability affects all trial versions of Adobe software. But, what is the impact here? What happens if someone resets the trial version? Does it become a full version of the software? If yes, then this is cause for concern.

But, if even after resetting the version, it remains a trial version, then it is not much of an impact. It is similar to un-installing the current trial and re-installing it again.

So, i don't think it would be deemed a vulnerability. Even if you reported it, they will not treat it as a vulnerability.

M S Sripati
  • 99
  • 4