An Adobe Acrobat Chrome extension used for converting webpages into PDFs was automatically installed onto Windows...
users' browsers during a recent patch, which was criticized by many tech and privacy experts. What was the problem with the Adobe extension, and what should users do about it?
Keeping software up to date and patched is a critical aspect of IT security. However, many users can be lax about ensuring they have the latest security patches installed, which is why most software vendors now push patches to users' machines automatically.
Adobe issues security updates for its products on Patch Tuesday, and they are automatically installed as the default setting. The update for Adobe Acrobat Reader DC, released on Jan. 10, addressed 29 vulnerabilities; it also silently installed an Adobe Acrobat Chrome extension on users' Windows PCs. Users had no option to block the installation, and it was not mentioned in the change log.
Privacy experts and users quickly criticized Adobe's actions; not only was the extension installed without users' approval, but it also sent anonymous telemetry data back to Adobe by default.
The purpose of the extension is to convert webpages into PDF files, but users only discovered it the next time they opened Chrome after the Patch Tuesday updates. Chrome's security mechanisms block extensions from being enabled automatically, and so prompted users to either grant the Adobe Acrobat Chrome extension permission to access data on sites they visit, communicate with cooperating native applications and manage downloads, or to remove it from the browser. As the Enable option was set by default, that is probably what most people chose. Once enabled, the extension exposed users to a potential XSS attack.
Ormandy reported the XSS flaw to Adobe, who rated the vulnerability important and patched it a few days later.
It would be a shame if this experience put users off of automatically installing security patches; it would not only put their own devices at risk, but would also make the internet as a whole less secure. Software vendors should certainly not use security updates to install undocumented new features without the user's permission.
Browser extensions have a reputation for being poorly coded, and only those that really provide useful functionality and are from trusted sources should be enabled.
Users who no longer wish to allow the Adobe Acrobat Chrome extension permission to be on their browsers can add its unique Chrome Web Store ID, efaidnbmnnnibpcajpcglclefindmkaj, to the Chrome Extensions blacklist by going to Computer > Policies > Administrative Templates > Google > Google Chrome > Extensions > Configured extension blacklist.
Also, it is important to read and understand the permissions extensions and other applications request before enabling them. Don't just click Enable because it has been highlighted by default.
Learn about the role CISOs play in the security patching process
Find out who is responsible when a Microsoft patch introduces more problems to the enterprise
Discover how to allocate the appropriate time to security updates and patching
Dig Deeper on Web browser security
Related Q&A from Michael Cobb
Expert Michael Cobb details how to argue for a multistep secure code review process, like Microsoft SDL, and the pros of secure coding practices. Continue Reading
Researchers developed a tool to help prevent improper certificate pinning that causes security issues. Expert Michael Cobb reviews the issue and the ... Continue Reading
Google Project Zero discovered a WPAD attack that could target systems running Windows 10. Expert Michael Cobb explains how the attack works and how ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.