Tavis Ormandy, a Google Project Zero researcher, stumbled across a cross-site scripting (CSS) flaw in an automatically installed Adobe Acrobat Chrome extension. The extension, which converts web pages into PDF files, started installing automatically on users` Chrome browsers when Adobe patched 29 security vulnerabilities on January 10th.
Even though the flawed extension only affects Windows OSs, according to Ormandy, it has already been installed on more than 30 million machines. This process happens in complete silence without the users` permission or even without their knowledge. The victims are only informed of the new extension once they have restarted their browsers. Then, they are asked to allow the Adobe Acrobat extension to control all of their downloads, to read and alter all the data on the web pages they visit, as well as to “communicate with cooperating native applications.”
There is an option for removing the extension, but it is enabled by default. Another thing the extension does, which is set by default, is to “send anonymous usage information to Adobe for product improvement purposes.” The Adobe team affirms that the information gathered is strictly Adobe-related and doesn’t include any personally identifiable data.
Ormandy reported the DOM-based cross-site scripting (CSS) flaw in the Adobe extension to the company a week ago and, last Thursday, Adobe released an update, describing the vulnerability as important.
According to the Ormandy, the vulnerability allowed the privileged execution of JavaScript code.
“I think [Content Security Policy] might make it impossible to jump straight to script execution.” – stated the Google Project Zero researcher – “But you can iframe non web_accessible_resources, and easily pivot that to code execution, or change privacy options via options.html, etc.”
Furthermore, Adobe has received critics for many of their software security products. In particular, multiple critical bugs have been found in Flash, which forced the industry to turn to HTML5 instead. Moreover, the company recently had to pay a $1 million settlement for a data breach in 2013 that caused the explosion of sensitive information of millions of users.
