Skip to content ↓ | Skip to navigation ↓

Adobe is no stranger to finding itself in the security headlines for all the wrong reasons, and it seems that things may not be changing as we enter 2017.

There was controversy earlier this month when news broke about how Adobe took the opportunity on Patch Tuesday of using its regular security updates to force Adobe Acrobat DC users into silently installing a Google Chrome extension.

As Bleeping Computer reports, most people first found out about the extension, which offers the ability to easily convert webpages into PDF files, when they saw a prompt asking them to approve the following permissions:

  • Read and change all your data on the websites you visit
  • Manage your downloads
  • Communicate with cooperating native applications

Acrobat extension permissions

Of course, you could choose to remove the extension, but it’s the “Enable” option which is set by default – and it is probably what many people would click on without thinking of the possible consequences.

Users expressed their outrage on social media about Adobe silently installing the Windows-only extension, leaving poor reviews in the Chrome web store:

“How DARE Adobe install this extension automatically and silently as part of a ‘security’ update for Acrobat. DISGUSTING!!! Not only am I removing the extension from the browser, I am permanently removing Acrobat from ALL systems on my network and blocking any further installations. My school district will be Acrobat free AS SOON AS HUMANLY POSSIBLE. Further, I will recommend to the Department of Education a different solution for PDF viewing and editing. I will push and fight to get as many people as I can to stop using this disgusting trash.”

What further upset some users was that the Adobe Acrobat Chrome extension sends “anonymous product usage data” back to Adobe, although the company stresses that it does not receive details of the URLs visited by users.

It wasn’t long before headlines appeared comparing the sneakily-installed extension to “spyware”.

Could there be any worse news for Adobe? Well, perhaps…

Tweet by Tavis Ormandy

Controversial Google security researcher Tavis Ormandy’s interest was piqued by all of the attention being given to the extension, so he made his own examination of its code and found that it was vulnerable to cross-site scripting (XSS) attacks.

According to statistics displayed on the Chrome web store, the controversial extension has tens of millions of users – all of whom are potentially vulnerable because of the flaw in its code.

Every time you add additional software to your computer, you are increasing your potential attack surface. If you don’t need it, don’t install it. And be wary of software that is installed without your permission or that vendors bundle with their software against your wishes.

Adobe has responded to Ormandy’s report by saying it has now issued an update to the extension that fixes the security holes.

 

Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.

SANS White Paper: Security Basics
  • disqus_Tgv8PPb9Oy

    While I deplore Adobe’s sneaky way of putting this extension on people’s computers, I also deplore the mindless way people use their machines, barely, if ever, reading and trying to comprehend the messages their programs send them, and blankly clicking on whatever is highlighted. For all the flapdoodle about Adobe putting this on silently, the extension does, after all, produce a message telling you what it wants to do. If you choose to not pay attention, then you have nothing to complain about.

    • Clark W. Griswold

      Nonsense, DON’T blame the victim here. My wife isn’t computer savvy and this kind of manipulation is an affront to fair play. After all we have a CD digital manual for our camera. She was trying to pop it in and review it…until…a message came on saying our Acrobat needs an extension.
      So what’s she supposed to do? Stop and analyze what an extension is and LETS NOT FORGET the message does NOT SAY GOOGLE CHROME, but merely “Chrome”. Not necessarily a red flag without getting in a few more web sites and reading what the word Chrome by itself means in addition to getting on another web site to see why an Adobe extension is needed.

      This isn’t geared for someone just trying to read a freaking manual CD.

  • Clark W. Griswold

    HOW is this forced thru subterfuge LEGAL?

<!-- -->