Ouch! Adobe turning to unusual tactics in security patch

Jan 13, 2017 08:25 GMT  ·  By

Adobe rolled out security updates for its software on Tuesday, but in addition to fixes for vulnerabilities, users also received something they didn’t actually quite expect: a Google Chrome extension that was sneakily installed on their systems.

SwiftOnSecurity reveals on Twitter that the latest Adobe Reader update also deploys a Google Chrome extension that includes telemetry features to collect data from users’ computers.

The extension is simply called “Adobe Acrobat” and is automatically added to Google Chrome when installing the security update, but it does require users to enable it when launching the browser.

What’s more unusual, however, is that the extension asks for several permissions, including “read and change all your data on the websites you visit, manage your downloads, and communicate with cooperative native applications.”

The original purpose of the application is to allow users to convert a website into a PDF document and then open it in Adobe Reader, which provides more features than the PDF reader integrated into Google Chrome. Converting sites to PDF, however, requires a paid version of Acrobat, so without this, it’s essentially just a PDF reader and nothing more.

Telemetry data

And what’s worse is that this PDF reader also collects some data and sends it to Adobe’s servers. In an advisory, Adobe says that it’s only collecting browser type and version, Adobe product information such as version, and Adobe feature usage such as menu options or buttons selected. No personal information is being collected, Adobe says.

But this doesn’t make things less worse, as Adobe itself hasn’t said a single thing about bundling a Google Chrome extension into a security update that pretty much all of its users are expected to install.

The extension does ask for permission before getting enabled, but users are not being prompted to allow the install during deployment of the security patch. So essentially, Adobe is putting a telemetry data collection extension on everyone’s systems without even telling them about it and hoping that no one would notice.

At the time of publishing this article, Adobe hasn’t yet provided a statement regarding this unusual push for the extension, but given the criticism that has quickly emerged following this decision, expect some comments to be released soon.