Sunday, 22 January 2017

Adobe auto-installed a vulnerable Chrome extension on LAPTOP/PC

There was controversy earlier this month when news broke about how Adobe took the opportunity on Patch Tuesday of using its regular security updates to force Adobe Acrobat DC users into silently installing a Google Chrome extension.

The Adobe Acrobat Chrome extension, which converts web pages into PDFs, automatically installed when Adobe patched 29 security vulnerabilities on Jan. 10. The Adobe extension only applies to Windows, and Project Zero researcher Tavis Ormandy found it already had approximately 30 million installations. The installation process happens without the user's consent or knowledge, and only makes an appearance when the browser is restarted and users are asked to give the Adobe extension permission to read and change all the data on the websites they visit, manage all the user's downloads and "communicate with cooperating native applications."

Users are given the option of removing the Adobe extension, but it is enabled by default. Another default setting of the Adobe Acrobat extension is to allow it to "send anonymous usage information to Adobe for product improvement purposes." Adobe claims that no personally identifiable information is collected, so the data is meaningless to anyone outside of Adobe.