A Chrome extension, that Adobe silently installed with a security update, contains a security leak. The vulnerability was discovered by a Google security researcher and allows an attacker to execute malicious code on the victim's computer.
Adobe silently installed an Acrobat extension for Chrome together with a security update for Adobe Reader and Acrobat. The extension, which can be used to save web pages in PDF, was installed by more than 30 million internet users.
Because the extension was installed together with an Adobe security update, Chrome users are asked whether they want to enable the extension when they start the browser. This is a security measure Google added to prevent automatic activation of malcious extensions and toolbars. Also for enabling the Adobe extension permission is requested, but many novice internet users likely automatically clicked enable, as the extension gained 20 million users since Adobe silently installed it.
Users who enabled the plugin gave permissions to Adobe to read and change all data on the websites they visit, manage their downloads and to communicate with cooperating applications outside the browser. The Acrobat extension also has anonymous usage data collection enabled by default.
Google security researcher, Tavis Ormandy, discovered a vulnerability in the extension that allows an attacker to execute Javascript. This also allows an attacker to execute malicious code and even change privacy settings. Ormandy warned Adobe about the issue and the company fixed the issue within a day.
Reviews of the Adobe Acrobat extension show that users are pretty upset with Adobe adding the extension with a security update, an user writes, "How DARE Adobe install this extension automatically and silently as part of a "security" update for Acrobat. DISGUSTING!!! Not only am I removing the extension from the browser, I am permanently removing Acrobat from ALL systems on my network and blocking any further installations. My school district will be Acrobat free AS SOON AS HUMANLY POSSIBLE. Further, I will recommend to the Department of Education a different solution for PDF viewing and editing. I will push and fight to get as many people as I can to stop using this disgusting trash".
Another user wrote, "It automatically installed itself onto my Google browser. I'll be uninstalling all adobe products from my computer now."
The rating of the extension also considerably dropped with many 1 star reviews. Currently it has 3 out of 5.
