Latest Adobe Acrobat Reader Update Silently Installs Chrome Extension (bleepingcomputer.com) 145
An anonymous reader writes: The latest Adobe Acrobat Reader security update (15.023.20053), besides delivering security updates, also secretly installs the Adobe Acrobat extension in the user's Chrome browser. There is no mention of this "special package" on Acrobat's changelog, and surprise-surprise, the extension comes with anonymous data collection turned on by default. Bleeping Computer reports: "This extension allows users to save any web page they're on as a PDF file and share it or download it to disk. The extension is also Windows-only, meaning Mac and Linux Chrome users will not receive it. The extension requests the following permissions: Read and change all your data on the websites you visit; Manage your downloads; Communicate with cooperating native applications. According to Adobe, extension users 'share information with Adobe about how [they] use the application. The information is anonymous and will help us improve product quality and features,' Adobe also says. 'Since no personally identifiable information is collected, the anonymous data will not be meaningful to anyone outside of Adobe.'"
sure I believe you (Score:5, Funny)
Re: (Score:2)
Where have you been? The courts have determined an IP doesn't prove an identity, therefore it's just more anonymous information.
Re: (Score:2)
Where have you been? The courts have determined an IP doesn't prove an identity, therefore it's just more anonymous information.
Look up what PII is (personally identifiable information). Your full name is PII, as is your address, but neither prove an identify. The IP does not have to prove it was you to be PII. I believe it would fall under non-sensitive, as opposed to sensitive PII such as biometric info, medical info, SSN, drivers license number, etc, but it's still PII (at least IMO, since each country/court/etc could define it however they see fit).
PII does not equal personal data (Score:2)
PII is an American legal term - in the US there is hardly any privacy on the internet. US companies are free to collect IP addresses for US citizens
In the EU and relating to EU citizens, "personal data" is any data that relates to an identified or identifiable individual. An IP address does constitute "personal data" under EU law, if there is a legal means to find out who the IP address belongs to. See
http://www.whitecase.com/publi... [whitecase.com] for details.
Re: (Score:3)
But sadly, this is how the industry looks like. "Security" is achieved if you make sure the data only gets to the manufacturer and nobody else, not if no information leaves the machine of the user at all.
Re: (Score:2)
Re: (Score:2)
They should pop one up asking whether you want to install it.
Re: (Score:2)
That's it. Whatever they do (within reason) is fine by me as long as I'm informed and given the option to opt out. I think ALL companies should considering taking that approach.
Re: (Score:1)
Because other people use Adobe. People we do business with. And refusing to interface with them simply isn't a realistic option.
Re: (Score:2)
And they're using Adobe-only features that don't exist in other PDF products? I understand the need for PDF in general, but why Adobe in particular?
Re: (Score:2)
Adobe in particular - No other PDF product on the IT schedule. We can't all be Admin.
It does what? (Score:2, Insightful)
>This extension allows users to save any web page they're on as a PDF file and share it or download it to disk
I'm pretty sure chrome does that all by itself
Re: (Score:2)
Re: (Score:2)
Rendering speed isn't great for any of the in-browser viewers.
But my Windows 10 laptop is a Core 2 Duo, so it may perform acceptably fast on your hardware! :)
Chrome is smarter than that. (Score:5, Informative)
When you open chrome It will note the new extension and ask if you want to enable it or remove it.
Re: (Score:1)
I noticed this the other night and it confused me. I was worried that malware creators had found a new way to infiltrate peoples computers. Since this was very strange I denied permission for the extension, thinking it wasn't legit.
Re:Chrome is smarter than that. (Score:5, Insightful)
Chrome may be smart, but the users may not be. A whole lot of people will just click "Yes" or "Enable" or whatever the dialog says.
Re:Chrome is smarter than that. (Score:4, Insightful)
Indeed. Given that Chrome itself is often installed surreptitiously along with popular applications like CCleaner and Avast, it's no wonder that Adobe thought that Chrome users wouldn't mind, or notice, yet another clandestine install.
Now that I'm thinking about it, Chrome has come bundled with Adobe products as well! That's right, Adobe secretly installs the browser, and tries to set it as default. They've already gone that far, so what's the big deal about sliding along an extension?
Re: (Score:1)
But are users smart to rely on proprietary luck? (Score:3)
Chrome does that now, but Google could make Chrome behave differently and not ask, simply accept the new plugin (with its spying turned on by default) without prompting the user.
Ultimately this allegation of "smarts" is not under the user's control, it's unsafe and a minor stroke of luck that things happened to work out the way they did for now. It doesn't strike me as smart to dismiss this as a settled matter, just as it was not smart for Microsoft Windows 10 users to believe that the OS privacy settings w
Re: (Score:3)
Yep. Chrome informed me that it was time to complete disable the Adobe auto-updater.
FYI: Create a dword called bUpdate in \HKLM\SOFTWARE\Policies\Adobe\Adobe Acrobat Reader\DC\FeatureLockDown.. set it to 0 to completely disable updates or 1 to only disable the auto-updates and leave the manual checking available in the menu.
Of course who knows how long before they decide to change or just flat out ignore that entry. But it works for now.
Re: (Score:2)
As someone who deploys Acrobat and Reader and their updates across domains, I can tell you that Adobe's documented controls are completely unreliable.
http://www.adobe.com/devnet-do... [adobe.com]
The ONLY thing I have ever gotten to work reliably is the option to disable putting an icon on the desktop. Disabling automatic updates, stopping automatic updates but allowing manual update checks, disabling the upsell, disabling usage tracking, disabling the login requirement, setting the default printer path, etc. simply be
Re: (Score:2)
Yup. Tossed the icon up in the bar and sent me to the Adobe page.
I immediately uninstalled it, force closed Chrome, and ran a full malware scan, since clearly I had been compromised by some form of browser hijacker, probably from a banner that got past uBlock. Imagine my delight when I found it wasn't a security violation, it was a violation of my trust.
Re: (Score:2)
Trust??!!
WTF were you thinking trusting Adobe? Or Microsoft? Or Google? Or any modern corporation?
Re: (Score:2)
You do not trust Microsoft? What OS do you use? You do not trust Google? What search engine do you use?
"Trust", in the way it is used in security, means that you have a certain expectation towards a certain resource and you are willing to believe it to perform a specific service with specific license provided by you. In a less abstract way, you use Google as a search engine and you trust it to provide you with reasonably matching results to the search terms you enter, and you also trust it not to deliberate
Re: (Score:2)
Nope.
A mix of Linux and Windows.
Never!
DuckDuckGo, Bing (for porn, of course), Yandex
Re: (Score:2)
Specifically, the violation of my trust was expecting a software updater not to install new, tangentially related, apps. An update to a DLL file to fix a security flaw is an update. A software extension to Google Chrome that mimics "Print to PDF" is a new install. Due to Windows restrictions I could not give them access to the former without access to do the latter. They abused having access for the former to do the later.
There's also the colloquial version of the term in that this was probably unethica
Re: (Score:2)
Funny (Score:5, Informative)
Yesterday or two days ago, Chrome prompted me if want to install something from Adobe, most likely extensions and I clicked no since I did not like those popups. Now looking at chrome://extensions/ - nothing like that there to see.
What gives?
Re:Funny (Score:5, Interesting)
That'd be chrome protecting you from this shit. they've gotten pretty good at detecting and preventing these kinds of drive by installs.
Re:Funny (Score:4, Insightful)
they've gotten pretty good at detecting and preventing these kinds of drive by installs.
After gaining a large amount of market share by BEING a drive-by install (as part of java, IIRC), they ought to be good at detecting them.
Re: (Score:2)
Not java, flash player (Score:1)
Not java but it was (is?) installed with flash player if you don't uncheck that box FROM THE DOWNLOAD PAGE (it do not ask if you want it when installing - it just install chrome without asking). WTF? Normal google/adobe behavior I guess but I found it pretty dirty from them.
Re: (Score:2)
Re: (Score:1)
Never said they still did. See this post https://forums.adobe.com/threa... [adobe.com] from 2013. It did install just like I said (in 2013). So it has, do not anymore, and I can't speak for the future but it would not suprise me if they do it again.
Re:Funny (Score:5, Informative)
That was it. My chrome did the same thing not more than two hours ago...which means Acrobat updated itself silently. Which pisses me off. Now, what pisses me off even worse is that it's hard to turn off auto-update in Acrobat Reader DC and requires either editing the registry or downloading and installing another adobe preference manager program (link to help article: https://forums.adobe.com/threa... [adobe.com]). And even worse, the data collection was checked by default. A-holes.
Re: (Score:2)
That's interesting. Adobe reader had only ever checked for updates for me and never silently installed them. I install them all anyway since an unpatched reader is much like browsing the internet with IE6 in terms of attack potential but still all I get is an annoying prompt very frequently to update.
Re:Foxit instead (Score:5, Informative)
Foxit comes with malware which installs toolbars. It's worse than Adobe
Re:Foxit instead (Score:5, Informative)
https://www.sumatrapdfreader.o... [sumatrapdfreader.org]
Re: (Score:2)
I just discovered Sumatra a couple days ago. Was astonished how fast it is. But how would one use it as a browser plug-in?
Re:Foxit instead (Score:5, Informative)
At least throw a damn citation out.
Only thing I can see is version 6.1.4 (2014) of FoxIt had malware. But it was removed afterward because of user outcry.
HOWEVER, equally or more dangerous I've noticed:
>In July 2014, the Internet Storm Center reported that the mobile version for iPhone was transmitting unencrypted telemetry and other data to remote servers located in China despite users attempting to opt out of such data collection.[13]
https://en.wikipedia.org/wiki/... [wikipedia.org]
Re: (Score:1)
Just use good, old US crapware!
Re:Foxit instead (Score:5, Insightful)
Re: (Score:1)
I don't have Chrome installed. Just SeaMonkey.
Re: (Score:1)
No
Chrome's built in PDF viewer is useless for forms or others obscure scanned PDFs.
I have had to help administrations multiple times and since Chrome later not supporting Reader extensions I had to instruct them to download the PDF and THEN open them in Adobe Reader (still using the non-DC version)
Granted there are problems with Adobe Reader but to make it that difficult to launch an external program to read PDFs..............
(And not the only shenanigans that Chrome has pulled)
Re: (Score:2)
The good news ... (Score:5, Informative)
Re: (Score:1)
So... the article is inaccurate, as it's not "secret" at all, and it isn't even "installed" at all... just "ready to be installed".
Fine reporting!
Re: The good news ... (Score:2, Informative)
It's installed, silently, by an auto updater. You have to grant it permission before it can run, but it's definitely installed.
Re: (Score:1)
And your reply was...(don't leave a brother hangin)
Q. Do you want to remove this unwanted extension?
a.Yes
b.No
c.There was an extension? What deadline did I just miss?
d.F**k yeah!
e.Remove the extension, AND Cowboy Neal
provocateur
too lazy for caps, too lazy to log in
Best News = No News (Score:5, Insightful)
I don't use Adobe anymore, PERIOD.
Re:Best News = No News (Score:5, Insightful)
Not an option for everyone.
Re: (Score:1)
Yes it is,the inconvenience in doing so might be judged too onerous but the choice remains.
In my time I have given up:
microsoft
adobe
oracle
redhat/derivatives
mozilla
hp
sony
google
and never used facebook,linkedin,twitter or similar. apple
And them oment I can get a unix to run natively on a phone I'll choose to remove android
Re: Best News = No News (Score:3, Funny)
do you also encrypt your grocery lists?
Re: (Score:1)
I don't encrypt mine, but I obfuscate. How is Big Dairy going to learn about my coffee-drinking preferences when I list "half and half" as "1"?
Re: (Score:1)
PERIOD.
We don't need to know about your menstrual cycle.
Re: (Score:2)
I don't use Adobe anymore, PERIOD.
I kind of have to, using the CS6 Master Suite (about 1/2 of them – the heavies). I am stuck with my current-generation Mac, and will not upgrade past OS X 10.10.5 Yosemite.
Yes, Apple bought in to this forced upgrade cycle, and is in cahoots with Adobe to make everyone migrate to renting software, which I will not do.
A program is analogous to a recipe (for a computer). It is a set of instructions == a recipe. Come to my kitchen––I'll bake you some bread. Here, it will not cost me a mem
If you have Chrome why having Acrobat Reader? (Score:2)
Re: (Score:2, Interesting)
Sadly, Chrome doesn't perfectly support all PDFs yet. The usual gap is in forms. Another problem is that many forms created by software will specifically sabotage non-Adobe products. As an example: https://tax.iowa.gov/sites/files/idr/forms1/2015%201040%20fillable.pdf
Re: (Score:2, Informative)
Some people require digital signatures on PDFs which requires adobe.
Funny they don't really care WHAT you sign it with but do require it be signed...
Re: (Score:2)
Because its unfair to Adobe if only Google and Microsoft are allowed to track your usage! You want to be fair don't you?
Re: (Score:3)
I find the built in PDF viewer in Chrome to not be that great, and the one in Firefox to be downright terrible.
I use PDF X-change, but there's plenty of other options: Sumatra PDF, MuPDF , etc.
The only reason I've used Adobe Reader recently was a stupid form that had scripting in it, that wouldn't work in any alternate viewer.
Preferential treatment (Score:4, Insightful)
The extension is also Windows-only, meaning Mac and Linux Chrome users will not receive it.
Why are Mac and Linux users treated better than Windows users? That's not fair!
Re: (Score:1)
Linux users always seem to get better treatment on these type of issues.
Re: (Score:2)
The Linux version hasn't been updated in years. It's the only 32-bit program left on my system.
Re: (Score:1)
Why are Mac and Linux users threated better than Windows users? That's not fair!
Fixed that for you
Well, seems like adobe is streamlining it. (Score:2)
Now instead of having to browse the internet until the PDF reader gets hit by one of its countless exploits and install the malware on your PC, now it comes with it integrated into a neat package.
Already seen it (Score:2)
Chrome PDF Printing Bug (Score:1)
I wonder if it has a standard 'use Reader to open PDFs in browsers' option. Chrome will sometimes not print random elements from PDFs. They display fine, but when printing some parts are just blank. This may be useful for use and it might be an easier solution than 'save PDF to desktop, open in Adobe and print' or 'open in IE when you want to print'.
USE THIS (Score:5, Interesting)
https://www.sumatrapdfreader.o... [sumatrapdfreader.org]
Small. Fast. Loads DjVu and some E-Reader formats as well. No spyware.
Re: (Score:1)
I also recommend Sumatra. Faster. Less invasive. Doesn't run in-PDF javascript. Actually nicer to use too. I uninstalled Adobe years ago and haven't looked back.
Re: (Score:2)
I just wish people developing software would remember that printing is a thing, particularly for documents like PDFs. Printing from Sumatra seems to be measured in minutes-per-page rather than pages-per-minute.
Re: (Score:1)
For professional pdf work (ie stuff meant to go on a 5000 lpi-capable sheetfed press), it's also poop, it has poor font support and inconsistencies in layering. Not that the internal pdf readers in FF or Chrome do any better. While everyone probably cheered around here (free embedded pdf readers yay!!), us professional printer support technicians were suddenly assaulted by clients and coworkers demanding to know why all of our proofs were broken.
Re: (Score:2)
I'm pretty sure browsers incorporating PDF readers is a recent amendment to Zawinski's Law.
Re: (Score:2)
I've been using PDF-XChange viewer for some years now and I'm really happy with it.
Is it too good to be true? Is someone going to come along and tell me it's stealing all the beer from my fridge?
Re: (Score:2)
Re: (Score:2)
I nearly didn't bother looking at this because you didn't include "open source" in its list of features (given how fucked so many PDF readers are in terms of security - and by that of course I mean Acrobat Reader - this is an important issue for me).
But, it turns out it is actually open source: https://github.com/sumatrapdfr... [github.com] (GPLv3).
what an evil scheme. (Score:3)
Re: (Score:1)
Has Gingery's book been released on PDF? I wasn't aware of that. Gingery is a small-press business and probably are hurt tremendously by pirates distributing PDF versions of their books.
How will we bootstrap our early 20th century machine shops from scrap material and a charcoal forge after the apocalypse if Gingery's books aren't widely distributed, particularly in post-apoc. readable paper form?
Re:what an evil scheme. (Score:4, Insightful)
Re: (Score:2)
Re: (Score:2)
There's lots of interesting stuff you can find out with spyware. Most people don't know how to uninstall apps, for example, so Adobe can see if they also have Sumatra or Foxit installed, i.e. who the competition is. Installed apps stats are also helpful when they want to slip their malware into other popular installers.
They can collect data on how users react to user-hostile features and tune their abuse to get the revenue / annoying enough to use a different app ratio right. Even interaction data is really
Re: (Score:2)
"Members of the secret metadata trust.. we have Sheramil's Acrobat usage information right here! Let's see.. documentation for mom's smart tv... a pirate copy of Frank Herbert's 'Dune Encyclopedia'... uh... D.Gingery's book on metal lathes.. very well! How do we monetize this information?" *crickets*
"Ah, screw it. We will just tell the government that he is planning to use his metalworking skills to turn a smart TV into a smuggling device for drugs(street name 'spice') and get a nice little reward from the government. Might as well make some money off of this."
Closing the barn door after the horses are out (Score:2, Insightful)
Re: (Score:3)
Having faith or trust in one company does not mean I have trust in another. So far Google have not negatively impacted me with personal data collection.
On the other hand all my passwords are leaked in an unsalted hash format in a breach of Adobe along with all my account information. Their products are also an incredibly open attack vector and a security threat. I have zero faith or trust in Adobe.
Re: Closing the barn door after the horses are out (Score:1)
Chrome only collects data if you want it to. Uncheck all the options under privacy and it's just another browser. Are you gonna complain that it sends every address you visit to Google? It's just the search as you type address bar doing what it's supposed to. Almost every modern browser has it and it can be disabled. Or you can change your search engine to DuckDuckGo or whatever.
You can't have all this functionaliy without sending data somewhere.
So (Score:2)
What if you don't have Chrome installed?
Say has anybody used the Foxit reader? How compatible is it?
Re: (Score:2)
Foxit collects a whole different range of 'anonymous' data and sends that to entirely different organisations. In that sense, it fulfills the same role, but is entirely incompatible.
Redundant even if it wasn't underhanded (Score:2)
This extension allows users to save any web page they're on as a PDF file and share it or download it to disk.
Chrome has had these capabilities built-in for years. Go to the Print window and choose "Save as PDF".
Re: (Score:2)
You can turn of the "feature" that sends data (Score:2, Informative)
The Acrobat Reader abomination (Score:3)
"The extension is also Windows-only, meaning Mac and Linux Chrome users will not receive it. "
Which is good, because if you use Mac you don't need Acrobat in the first place. In fact, the built-in PDF reader includes a number of of the editing features that Adobe users have to pay for the "Pro" edition to get.
"Silently installs"??? (Score:2)
Chrome prompts for permission before an extension can install and lists what the extension is requesting access to.
Got'm (Score:1)
So....it was legitimate. (Score:2)
Do Adobe still make a PDF reader? (Score:2)
Re: (Score:2, Insightful)
Thank you for your input, Herr Drumpf.