Adobe pushed insecure Adobe Acrobat extension to Chrome systems

Martin Brinkmann
Jan 21, 2017
Google Chrome
|
22

When Adobe released an update for the company's Adobe Acrobat Reader DC software in January, it installed alongside with it a browser extension for Google Chrome.

This "feature" was not mentioned in the changelog, and users had no option to block the installation. Chrome's security mechanism when it comes to the installation of browser extensions did kick in however, and blocked the extension from being enabled automatically.

Still, users got a prompt the next time they opened Chrome that asked them to enable the Adobe Acrobat extension in Chrome, or remove it from the browser.

The extension allows users to turn web pages into PDF documents. It also includes telemetry routines that are enabled by default.

adobe acrobat chrome extension

While it is bad enough that Adobe did so without giving users a choice -- the extension did get installed after all and it was Chrome that did block its activation -- it gets even worse.

Turns out, the Chrome extension that Adobe pushed out to user systems is also adding attack vectors to the systems if enabled.

Google's Tavis Ormandy decided to look at the extension's source, and found a JavaScript code execution bug that put the then 30 million systems the extension was installed on at risk.

Presumably you can do

window.open("chrome-extension://efaidnbmnnnibpcajpcglclefindmkaj/data/js/frame.html?message=" + encodeURIComponent(JSON.stringify({
panel_op: "status",
current_status: "failure",
message: "<h1>hello</h1>"
})));

I think CSP might make it impossible to jump straight to script execution, but you can iframe non web_accessible_resources, and easily pivot that to code execution, or change privacy options via options.html, etc.

Adobe did release a fix for the issue, and the most recent version of Adobe Acrobat for Chrome is patched.

Adobe has released a security update for the Adobe Acrobat extension for Chrome. This update addresses a cross-site scripting vulnerability rated important that could potentially lead to JavaScript execution in the browser.

Recap

Adobe installed the Chrome extension Adobe Acrobat without user interaction or notice as part of an update for the company's Adobe Acrobat Reader DC software. The extension phones home with telemetry data, and it did introduce a serious security vulnerability that users could fall victim to. Adobe did patch the vulnerability quickly after it was notified by Google of its existence.

User reviews on the Adobe Acrobat extension page on the Chrome Web Store show anger and confusion for the most part ever since the extension was installed silently on user systems.

What you can do about it

You have a couple of options, but only one makes sure that something like this won't happen again in the future.

  1. Do nothing. Not recommended.
  2. Remove all Adobe products from your computer systems. If you don't rely on them, this is the best and only option to ensure that Adobe won't push another extension to your systems in the future.
  3. Blacklist the Chrome extension using Chrome policies for devices. The extension ID is efaidnbmnnnibpcajpcglclefindmkaj, and you find the option to do so in the Group Policy under Computer > Policies > Administrative Templates > Google > Google Chrome > Extensions > Configured extension blacklist (thanks Decent Security and Born City). Blacklisting won't prevent Adobe from pushing other extensions to systems though.

Now You: What do you think of this?

Summary
Adobe pushed insecure Adobe Acrobat extension to Chrome systems
Article Name
Adobe pushed insecure Adobe Acrobat extension to Chrome systems
Description
The Chrome extension Adobe Acrobat that Adobe installed on user systems silently and without notification? Turns out it had a vulnerability.
Author
Publisher
Ghacks Technology News
Logo
Advertisement

Previous Post: «
Next Post: «

Comments

  1. kevin said on January 22, 2017 at 10:01 pm
    Reply

    I really can’t stand the fight over the web browser that takes place in the proprietary software world. If you want me to install a browser extension, you can politely ask, and not just slip it in unannounced. Even Microsoft was doing this to Firefox at one point.

    http://www.osnews.com/story/22358/Silent_Install_Firefox_Plugin_Backfires_on_Microsoft

    Fortunately, we’re free of these shenanigans on Linux, at least for now. But as it gets more popular, the unscrupulous developers who think that the above conduct is okay will begin to target us too. That’s why I hope Linux never goes truly mainstream.

  2. Patrick said on January 22, 2017 at 2:31 am
    Reply

    Pdf Exchange Editor Freeware Version has a “Fill and Save Adobe Forms to disk, email or ‘post’ – including XFA and dynamic forms”.

    Advanced features – License Required.
    (NEW PDF-XChange Editor Plus only) Create and Edit Fillable PDF Forms
    https://www.tracker-software.com/product/pdf-xchange-editor

  3. panama patrick said on January 21, 2017 at 8:31 pm
    Reply

    Can anyone recommend a good FREE replacement to Adobe Reader?

    1. mikef90000 said on January 22, 2017 at 2:42 am
      Reply

      I’ve been using Foxit Reader on Linux, but I just noticed that it isn’t recognizing the US IRS tax forms as writeable. New bug? GNOME Document Viewer (evince) works OK so far.

    2. Martin Brinkmann said on January 21, 2017 at 8:42 pm
      Reply

      Depends on what you need. Only PDF reading, or also basic editing or other functions? I use SumatraPDF as a PDF reader.

      1. George P. Burdell said on January 21, 2017 at 10:09 pm
        Reply

        The PDF “Fill In Forms” feature is extensively used by USA government agencies. For example, the Internal Revenue folks distribute all tax forms as PDF, then allow you to enter your personal data. You can save, retrieve, revise and print the filled-in forms. All neat and tidy. However, the very excellent Sumatra is read-only and cannot do this job. Has anyone tried “Blueberry’s PDF Form Filler” or any other candidates for filling in forms without Adobe?

      2. pdf said on January 21, 2017 at 9:43 pm
        Reply

        SumatraPDF has unpatched vulnerabilities (openjpeg).

      3. Panama Patrick said on January 21, 2017 at 9:28 pm
        Reply

        Thank you Martin, always so helpful.
        Regards from the Republic of Panama.
        Patrick

  4. jiri74 said on January 21, 2017 at 8:02 pm
    Reply

    4. Do not use crappy Chrome browser.
    If you cannot help yourself or you are Google addict, you can use Vivaldi browser. Same core as Chrome, same extensions working there and Adobe Reader extension can be disabled (or is disabled by default, do not remember if I did it manually in past).

    1. ShintoPlasm said on January 21, 2017 at 10:44 pm
      Reply

      Or use Opera for better compatibility with Chrome extensions and a lighter system footprint :)

  5. Patrick said on January 21, 2017 at 6:10 pm
    Reply

    If anyone uninstalled Acrobat Reader without also using “Adobe Reader and Acrobat Cleaner Tool” you have not finished uninstalling Acrobat Reader. The registry entries that are left behind are staggering.

    http://labs.adobe.com/downloads/acrobatcleaner.html

    1. seeprime said on January 21, 2017 at 8:16 pm
      Reply

      Thanks for the tip and link. Nice to have this.

  6. Borgy said on January 21, 2017 at 12:34 pm
    Reply

    You can also about:config, search “plid” (without quotes) then double click on the one item that pops up – changing it to false.

    1. Tom Hawack said on January 21, 2017 at 12:50 pm
      Reply

      True but be aware that switching this setting to true will block ALL plug-ins (plug-ins, not add-ons) :

      // DISABLE SCANNING FOR PLUGINS
      user_pref(“plugin.scan.plid.all”, false); // FLASH OR ANY OTHER PLUGIN => true

      I have no plug-in (“not one” as I often mentioned it!) so this setting is advised :)

  7. Earl said on January 21, 2017 at 12:07 pm
    Reply

    Of course, it’s pretty easy for Chrome to save (print) a webpage to a PDF all by itself without any help from Adobe.

  8. Joey Spinosa said on January 21, 2017 at 11:33 am
    Reply

    My Lord, what has happened to Adobe? I’m retired now, but there once was a time, maybe a decade ago, where I was living in the heart of Silicon Valley. Adobe was a pillar of the software community back then. Completely trusted. I clearly remember doing fresh installs on a large scale that went something like >Windows >MS Office >Adobe (free downloads)… Yep, Adobe was right up there with MS Office.

    Now I’m scouring my system to remove all Adobe products!

    A quick scan shows I still have Flash installed (it doesn’t show up in Programs & Features, or even Geek Uninstaller) but there is the 32bit Flash applet functioning in Control Panel. Fortunately, there is a stand alone Flash Uninstaller by Adobe you can use (google it).

    Some file clean-up is required even after running the Flash Uninstaller. Other than that, the only other instance I can find is right here in my Mozilla Firefox Browser… An Adobe plug-in which I can’t seem to remove, but I can disable, by selecting the “never activate” option.

    I reckon Adobe’s decline has been a long time coming. I stopped using the free downloads years ago when they went from simple stand-alone exe’s to fancy online installers that offered to include trial versions of McAfee, Chrome, Yahoo and whatever. I figure that was the beginning of the end for Adobe. They once were highly respected though…

    Bye, bye Adobe!
    Regards,
    Mr. Joey

    1. Craig White said on January 21, 2017 at 12:08 pm
      Reply

      Great post and ditto. I also just removed everything Adobe-related from my computer.

      Message to Adobe management: I hope you’re reading these posts closely. Way to destroy a brand.

    2. Tom Hawack said on January 21, 2017 at 11:58 am
      Reply

      Hi @Joey_Spinosa, concerning Firefox and “An Adobe plug-in which I can’t seem to remove, but I can disable, by selecting the “never activate” option” you may be aware that it has a Registry entry. Searching for Mozilla, then Firefox, then ‘extensions’ or ‘plugins’ (cannot remember exactly) should reveal the name of the Adobe plug-in you cannot remove from within Firefox itself. Deleting that plug-in’s entry in your Registry should fix the problem (to be removed from the Registry once Firefox is closed of course).

      As for Adobe products I’d definitely choose Option 2 above mentioned, “Remove all Adobe products” if it weren’t that none is installed here. And none will be.

  9. Pants said on January 21, 2017 at 10:46 am
    Reply

    “What do you think of this?”

    First of all, time and the web has made Adobe and/or Acrobat synonymous with PDF for most people. So many sites (and personally, people I come into contact with) assume they HAVE to have Acrobat for their PDF activities. All those sites with Get or “Requires” acrobat on them. The populace needs education.

    Secondly. This is a pure straight-up abuse of position, and leverage of the highest order of stinkitude. It smacks of google asshattery (too long to list) and MS bullshittery (see Win10). 30 million installs. Can you imagine a startup that suddenly had 30 million users? Adobe have leveraged their install base as well as the ignorance of users to get this into people’s browsers (and it WILL be used for data mining). And just how many people click OK without thinking despite chrome’s warning? My guess .. loads. Again .. 30 MILLION installs (I do not know if that 30 million means 30 million enabled, I can’t be arsed confirming).

    If any company suddenly puts 30 MILLION users at risk, they should be shamed, fined, abused, ridiculed, have their internet license revoked with demerit points, made to wear a dunce hat, and made to stand facing the corner in a dark room. And that’s just for starters. I’d also like to see MASSIVE headlining from MAJOR news sites with “ADOBE INFECTS 30 MILLION USERS WITH EXPLOITS” – think Guardian, Washington Post, HuffPo, NY Times etc (sorry for not knowing non-English publications). It’s not enough for a spattering of tech articles that really only mainly reach those who already know.

    Google (and I am not an expert on their chrome mechanisms) should be able to automatically remove and disable “malicious” or “insecure” extensions. I also do not know the legal ramifications or how this relates to their policies with developers – and of course I do not want to see them censor or restrict innovation. I’m also not 100% up on how/why their extension echo-system works regards external sources etc.

    I want to see google taking some action – I want them to auto-remove it from chrome. I want them to shove a big red “ADOBE ACROBAT IS A PIECE OF SHIT” at the top of all adobe and acrobat and pdf related searches. I really do.

    1. swamper said on January 22, 2017 at 4:41 pm
      Reply

      I’m with you Pants. These folks ought be tarred and feathered. Along with any other OS or software makers that want to decide for you what goes in your “device”. That we have to spend time stopping what just 10 short years ago would have been considered (still are to some of us) exploits that are introduced by supposedly trusted software makes absolutely no sense. They don’t own anyone’s “device”. As long as the mindless masses continue to comply and conform this will only get worse. In this day (lord help me for saying it) there ought be a license required to operate a PC. That’s the only way to educate all these folks because they do not have enough knowledge to understand the ramifications of what they do or even just exactly what it is they are giving up by allowing it. Making public school courses in PC User operation mandatory or something else drastic along those lines. PC’s just “are” to whole generations now. They do not make as many people think “how does it work” enough for them to try and learn anything, to most of the younger generations it just “is”. The instant gratification they get from the use of their “device” is all that matters. It’s very hard for a conservative like me to make those kinds of statements but something somewhere has got to give…

    2. Tom Hawack said on January 21, 2017 at 7:30 pm
      Reply

      French “Le Monde” with a similar editorial line to those of medias such as Guardian, Washington Post, HuffPo, NY Times etc makes no mention of this Adobe shame. Too busy with elected US president but even though, such news as this Adobe exploit is considered too technical I believe to be published in such papers. Still, if I refer to LeMonde.fr again I am nevertheless surprised that their specialized modules such as ‘Le Monde – Big Browser’ or ‘Le Monde – Les décodeurs’ make no mention of this either.

      Jean de la Fontaine, in “Les Animaux malades de la peste” wrote 250 years ago …

      “Selon que vous serez puissant ou misérable,
      Les jugements de cour vous rendront blanc ou noir. ”

      “Depending on whether you will be powerful or poor,
      The judgements of court will make you white or black.”

      Court, and medias.

  10. Robert said on January 21, 2017 at 10:30 am
    Reply

    Adobe acts like Microsoft in the past. They are pushing their buggy, obsolete ‘tools’ everywhere. Sadly, a lot of big companies are doing exactly the same, like HP or Lenovo or even Oracle pushing those crappy ask toolbars with Java installers.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.