Adobe Acrobat Chrome extension: What are the risks?

An Adobe Acrobat Chrome extension used for converting webpages into PDFs was automatically installed onto Windows users' browsers during a recent patch, which was criticized by many tech and privacy experts. What was the problem with the Adobe extension, and what should users do about it?

Keeping software up to date and patched is a critical aspect of IT security. However, many users can be lax about ensuring they have the latest security patches installed, which is why most software vendors now push patches to users' machines automatically.

Adobe issues security updates for its products on Patch Tuesday, and they are automatically installed as the default setting. The update for Adobe Acrobat Reader DC, released on Jan. 10, addressed 29 vulnerabilities; it also silently installed an Adobe Acrobat Chrome extension on users' Windows PCs. Users had no option to block the installation, and it was not mentioned in the change log.

Privacy experts and users quickly criticized Adobe's actions; not only was the extension installed without users' approval, but it also sent anonymous telemetry data back to Adobe by default.

The number of user reviews complaining about the extension prompted Google Project Zero researcher Tavis Ormandy to examine the extension's code, and he discovered a Document Object Model-based, cross-site scripting (XSS) vulnerability that enabled privileged JavaScript code execution. At the time of the discovery, Chrome Web Store statistics showed there had been 30 million plus installations -- an attractive user base for anyone looking to exploit the vulnerability.

The purpose of the extension is to convert webpages into PDF files, but users only discovered it the next time they opened Chrome after the Patch Tuesday updates. Chrome's security mechanisms block extensions from being enabled automatically, and so prompted users to either grant the Adobe Acrobat Chrome extension permission to access data on sites they visit, communicate with cooperating native applications and manage downloads, or to remove it from the browser. As the Enable option was set by default, that is probably what most people chose. Once enabled, the extension exposed users to a potential XSS attack.

Ormandy reported the XSS flaw to Adobe, who rated the vulnerability important and patched it a few days later.

It would be a shame if this experience put users off of automatically installing security patches; it would not only put their own devices at risk, but would also make the internet as a whole less secure. Software vendors should certainly not use security updates to install undocumented new features without the user's permission.

Browser extensions have a reputation for being poorly coded, and only those that really provide useful functionality and are from trusted sources should be enabled.

Users who no longer wish to allow the Adobe Acrobat Chrome extension permission to be on their browsers can add its unique Chrome Web Store ID, efaidnbmnnnibpcajpcglclefindmkaj, to the Chrome Extensions blacklist by going to Computer > Policies > Administrative Templates > Google > Google Chrome > Extensions > Configured extension blacklist.

Also, it is important to read and understand the permissions extensions and other applications request before enabling them. Don't just click Enable because it has been highlighted by default.