Skip to main content

Adobe pushed insecure Adobe Acrobat extension to Chrome systems

When Adobe released an update for the company's Adobe Acrobat Reader DC software in January, it installed alongside with it a browser extension for Google Chrome.

This "feature" was not mentioned in the changelog, and users had no option to block the installation. Chrome's security mechanism when it comes to the installation of browser extensions did kick in however, and blocked the extension from being enabled automatically.

Still, users got a prompt the next time they opened Chrome that asked them to enable the Adobe Acrobat extension in Chrome, or remove it from the browser.

The extension allows users to turn web pages into PDF documents. It also includes telemetry routines that are enabled by default.

adobe acrobat chrome extension

While it is bad enough that Adobe did so without giving users a choice -- the extension did get installed after all and it was Chrome that did block its activation -- it gets even worse.

Turns out, the Chrome extension that Adobe pushed out to user systems is also adding attack vectors to the systems if enabled.

Google's Tavis Ormandy decided to look at the extension's source, and found a JavaScript code execution bug that put the then 30 million systems the extension was installed on at risk.

Presumably you can do

window.open("chrome-extension://efaidnbmnnnibpcajpcglclefindmkaj/data/js/frame.html?message=" + encodeURIComponent(JSON.stringify({
panel_op: "status",
current_status: "failure",
message: "<h1>hello</h1>"
})));

I think CSP might make it impossible to jump straight to script execution, but you can iframe non web_accessible_resources, and easily pivot that to code execution, or change privacy options via options.html, etc.

Adobe did release a fix for the issue, and the most recent version of Adobe Acrobat for Chrome is patched.

Adobe has released a security update for the Adobe Acrobat extension for Chrome. This update addresses a cross-site scripting vulnerability rated important that could potentially lead to JavaScript execution in the browser.

Recap

Adobe installed the Chrome extension Adobe Acrobat without user interaction or notice as part of an update for the company's Adobe Acrobat Reader DC software. The extension phones home with telemetry data, and it did introduce a serious security vulnerability that users could fall victim to. Adobe did patch the vulnerability quickly after it was notified by Google of its existence.

User reviews on the Adobe Acrobat extension page on the Chrome Web Store show anger and confusion for the most part ever since the extension was installed silently on user systems.

What you can do about it

You have a couple of options, but only one makes sure that something like this won't happen again in the future.

  1. Do nothing. Not recommended.
  2. Remove all Adobe products from your computer systems. If you don't rely on them, this is the best and only option to ensure that Adobe won't push another extension to your systems in the future.
  3. Blacklist the Chrome extension using Chrome policies for devices. The extension ID is efaidnbmnnnibpcajpcglclefindmkaj, and you find the option to do so in the Group Policy under Computer > Policies > Administrative Templates > Google > Google Chrome > Extensions > Configured extension blacklist (thanks Decent Security and Born City). Blacklisting won't prevent Adobe from pushing other extensions to systems though.

Now You: What do you think of this?

 

This article was first seen on ComTek's "TekBits" Technology News

HOME