Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Chrome Security Privacy Software Technology

Latest Adobe Acrobat Reader Update Silently Installs Chrome Extension (bleepingcomputer.com) 145

An anonymous reader writes: The latest Adobe Acrobat Reader security update (15.023.20053), besides delivering security updates, also secretly installs the Adobe Acrobat extension in the user's Chrome browser. There is no mention of this "special package" on Acrobat's changelog, and surprise-surprise, the extension comes with anonymous data collection turned on by default. Bleeping Computer reports: "This extension allows users to save any web page they're on as a PDF file and share it or download it to disk. The extension is also Windows-only, meaning Mac and Linux Chrome users will not receive it. The extension requests the following permissions: Read and change all your data on the websites you visit; Manage your downloads; Communicate with cooperating native applications. According to Adobe, extension users 'share information with Adobe about how [they] use the application. The information is anonymous and will help us improve product quality and features,' Adobe also says. 'Since no personally identifiable information is collected, the anonymous data will not be meaningful to anyone outside of Adobe.'"
This discussion has been archived. No new comments can be posted.

Latest Adobe Acrobat Reader Update Silently Installs Chrome Extension

Comments Filter:
  • by supernova87a ( 532540 ) <kepler1@NoSpaM.hotmail.com> on Wednesday January 11, 2017 @07:49PM (#53651331)
    Certainly trustworthy! "Since no one but people at Adobe designed this, certainly no one in the wide world of hackers, exploit finders, and data sifters would ever be able to decipher and extract anything interesting from this data. I mean, we're just sending this meaningless data back to Adobe for shits and giggles, it's useless information! By the way, I heard that anonymous means that we just don't record your IP address right?"
    • Where have you been? The courts have determined an IP doesn't prove an identity, therefore it's just more anonymous information.

      • by unrtst ( 777550 )

        Where have you been? The courts have determined an IP doesn't prove an identity, therefore it's just more anonymous information.

        Look up what PII is (personally identifiable information). Your full name is PII, as is your address, but neither prove an identify. The IP does not have to prove it was you to be PII. I believe it would fall under non-sensitive, as opposed to sensitive PII such as biometric info, medical info, SSN, drivers license number, etc, but it's still PII (at least IMO, since each country/court/etc could define it however they see fit).

        • PII is an American legal term - in the US there is hardly any privacy on the internet. US companies are free to collect IP addresses for US citizens

          In the EU and relating to EU citizens, "personal data" is any data that relates to an identified or identifiable individual. An IP address does constitute "personal data" under EU law, if there is a legal means to find out who the IP address belongs to. See
          http://www.whitecase.com/publi... [whitecase.com] for details.

    • But sadly, this is how the industry looks like. "Security" is achieved if you make sure the data only gets to the manufacturer and nobody else, not if no information leaves the machine of the user at all.

    • Totally secure, unless some government three letter acronym agency demands it and tells us to keep it quiet. Yep, totally secure.
  • It does what? (Score:2, Insightful)

    by Anonymous Coward

    >This extension allows users to save any web page they're on as a PDF file and share it or download it to disk

    I'm pretty sure chrome does that all by itself

  • by Anonymous Coward on Wednesday January 11, 2017 @07:59PM (#53651371)

    When you open chrome It will note the new extension and ask if you want to enable it or remove it.

    • by Anonymous Coward

      I noticed this the other night and it confused me. I was worried that malware creators had found a new way to infiltrate peoples computers. Since this was very strange I denied permission for the extension, thinking it wasn't legit.

    • by Anonymous Coward on Wednesday January 11, 2017 @09:51PM (#53651753)

      Chrome may be smart, but the users may not be. A whole lot of people will just click "Yes" or "Enable" or whatever the dialog says.

      • by narcc ( 412956 ) on Wednesday January 11, 2017 @11:02PM (#53651961) Journal

        Indeed. Given that Chrome itself is often installed surreptitiously along with popular applications like CCleaner and Avast, it's no wonder that Adobe thought that Chrome users wouldn't mind, or notice, yet another clandestine install.

        Now that I'm thinking about it, Chrome has come bundled with Adobe products as well! That's right, Adobe secretly installs the browser, and tries to set it as default. They've already gone that far, so what's the big deal about sliding along an extension?

      • A lot of people would never see the request. A lot of people ignore sync errors and requests for extension permissions in chrome because it bury's them where users don't look or don't notice.
    • Chrome does that now, but Google could make Chrome behave differently and not ask, simply accept the new plugin (with its spying turned on by default) without prompting the user.

      Ultimately this allegation of "smarts" is not under the user's control, it's unsafe and a minor stroke of luck that things happened to work out the way they did for now. It doesn't strike me as smart to dismiss this as a settled matter, just as it was not smart for Microsoft Windows 10 users to believe that the OS privacy settings w

    • by Altrag ( 195300 )

      Yep. Chrome informed me that it was time to complete disable the Adobe auto-updater.

      FYI: Create a dword called bUpdate in \HKLM\SOFTWARE\Policies\Adobe\Adobe Acrobat Reader\DC\FeatureLockDown.. set it to 0 to completely disable updates or 1 to only disable the auto-updates and leave the manual checking available in the menu.

      Of course who knows how long before they decide to change or just flat out ignore that entry. But it works for now.

      • As someone who deploys Acrobat and Reader and their updates across domains, I can tell you that Adobe's documented controls are completely unreliable.

        http://www.adobe.com/devnet-do... [adobe.com]

        The ONLY thing I have ever gotten to work reliably is the option to disable putting an icon on the desktop. Disabling automatic updates, stopping automatic updates but allowing manual update checks, disabling the upsell, disabling usage tracking, disabling the login requirement, setting the default printer path, etc. simply be

    • by _KiTA_ ( 241027 )

      Yup. Tossed the icon up in the bar and sent me to the Adobe page.

      I immediately uninstalled it, force closed Chrome, and ran a full malware scan, since clearly I had been compromised by some form of browser hijacker, probably from a banner that got past uBlock. Imagine my delight when I found it wasn't a security violation, it was a violation of my trust.

      • by Alumoi ( 1321661 )

        Trust??!!
        WTF were you thinking trusting Adobe? Or Microsoft? Or Google? Or any modern corporation?

        • You do not trust Microsoft? What OS do you use? You do not trust Google? What search engine do you use?

          "Trust", in the way it is used in security, means that you have a certain expectation towards a certain resource and you are willing to believe it to perform a specific service with specific license provided by you. In a less abstract way, you use Google as a search engine and you trust it to provide you with reasonably matching results to the search terms you enter, and you also trust it not to deliberate

          • by Alumoi ( 1321661 )

            Nope.
            A mix of Linux and Windows.
            Never!
            DuckDuckGo, Bing (for porn, of course), Yandex

          • by _KiTA_ ( 241027 )

            Specifically, the violation of my trust was expecting a software updater not to install new, tangentially related, apps. An update to a DLL file to fix a security flaw is an update. A software extension to Google Chrome that mimics "Print to PDF" is a new install. Due to Windows restrictions I could not give them access to the former without access to do the latter. They abused having access for the former to do the later.

            There's also the colloquial version of the term in that this was probably unethica

    • There is a signature made by Google attached to the extension. Without the proper signature the ext may only be used in developer mode. Or the user is asked to accept it, or not.
  • Funny (Score:5, Informative)

    by no-body ( 127863 ) on Wednesday January 11, 2017 @08:01PM (#53651377)

    Yesterday or two days ago, Chrome prompted me if want to install something from Adobe, most likely extensions and I clicked no since I did not like those popups. Now looking at chrome://extensions/ - nothing like that there to see.
    What gives?

    • Re:Funny (Score:5, Interesting)

      by simcop2387 ( 703011 ) on Wednesday January 11, 2017 @08:12PM (#53651423) Homepage Journal

      That'd be chrome protecting you from this shit. they've gotten pretty good at detecting and preventing these kinds of drive by installs.

      • Re:Funny (Score:4, Insightful)

        by Obfuscant ( 592200 ) on Wednesday January 11, 2017 @08:40PM (#53651545)

        they've gotten pretty good at detecting and preventing these kinds of drive by installs.

        After gaining a large amount of market share by BEING a drive-by install (as part of java, IIRC), they ought to be good at detecting them.

        • by jon3k ( 691256 )
          What in the world are you talking about? Chrome was never installed as a part of Java. You're thinking of the ask or Yahoo! toolbar, maybe?
          • Not java but it was (is?) installed with flash player if you don't uncheck that box FROM THE DOWNLOAD PAGE (it do not ask if you want it when installing - it just install chrome without asking). WTF? Normal google/adobe behavior I guess but I found it pretty dirty from them.

    • Re:Funny (Score:5, Informative)

      by fisternipply ( 215177 ) on Wednesday January 11, 2017 @08:19PM (#53651459)

      That was it. My chrome did the same thing not more than two hours ago...which means Acrobat updated itself silently. Which pisses me off. Now, what pisses me off even worse is that it's hard to turn off auto-update in Acrobat Reader DC and requires either editing the registry or downloading and installing another adobe preference manager program (link to help article: https://forums.adobe.com/threa... [adobe.com]). And even worse, the data collection was checked by default. A-holes.

      • That's interesting. Adobe reader had only ever checked for updates for me and never silently installed them. I install them all anyway since an unpatched reader is much like browsing the internet with IE6 in terms of attack potential but still all I get is an annoying prompt very frequently to update.

  • The good news ... (Score:5, Informative)

    by Langalf ( 557561 ) on Wednesday January 11, 2017 @08:02PM (#53651379)
    The good news is when I fired up Chrome, it asked me if I wanted to remove this unwanted extension.
    • by Chmarr ( 18662 )

      So... the article is inaccurate, as it's not "secret" at all, and it isn't even "installed" at all... just "ready to be installed".

      Fine reporting!

      • by Anonymous Coward

        It's installed, silently, by an auto updater. You have to grant it permission before it can run, but it's definitely installed.

    • by Anonymous Coward

      And your reply was...(don't leave a brother hangin)

      Q. Do you want to remove this unwanted extension?

      a.Yes
      b.No
      c.There was an extension? What deadline did I just miss?
      d.F**k yeah!
      e.Remove the extension, AND Cowboy Neal

      provocateur
      too lazy for caps, too lazy to log in

  • by BoRegardless ( 721219 ) on Wednesday January 11, 2017 @08:10PM (#53651411)

    I don't use Adobe anymore, PERIOD.

    • by fisternipply ( 215177 ) on Wednesday January 11, 2017 @08:20PM (#53651461)

      Not an option for everyone.

      • by Anonymous Coward

        Yes it is,the inconvenience in doing so might be judged too onerous but the choice remains.

        In my time I have given up:
        microsoft
        adobe
        oracle
        redhat/derivatives
        mozilla
        hp
        sony
        google

        and never used facebook,linkedin,twitter or similar. apple

        And them oment I can get a unix to run natively on a phone I'll choose to remove android

        • by Anonymous Coward

          do you also encrypt your grocery lists?

          • I don't encrypt mine, but I obfuscate. How is Big Dairy going to learn about my coffee-drinking preferences when I list "half and half" as "1"?

    • PERIOD.

      We don't need to know about your menstrual cycle.

    • I don't use Adobe anymore, PERIOD.

      I kind of have to, using the CS6 Master Suite (about 1/2 of them – the heavies). I am stuck with my current-generation Mac, and will not upgrade past OS X 10.10.5 Yosemite.

      Yes, Apple bought in to this forced upgrade cycle, and is in cahoots with Adobe to make everyone migrate to renting software, which I will not do.

      A program is analogous to a recipe (for a computer). It is a set of instructions == a recipe. Come to my kitchen––I'll bake you some bread. Here, it will not cost me a mem

  • I can view PDF with Chrome already, why should I have both installed?
    • Re: (Score:2, Interesting)

      by Anonymous Coward

      Sadly, Chrome doesn't perfectly support all PDFs yet. The usual gap is in forms. Another problem is that many forms created by software will specifically sabotage non-Adobe products. As an example: https://tax.iowa.gov/sites/files/idr/forms1/2015%201040%20fillable.pdf

    • Re: (Score:2, Informative)

      by Anonymous Coward

      Some people require digital signatures on PDFs which requires adobe.
      Funny they don't really care WHAT you sign it with but do require it be signed...

    • by Altrag ( 195300 )

      Because its unfair to Adobe if only Google and Microsoft are allowed to track your usage! You want to be fair don't you?

    • I find the built in PDF viewer in Chrome to not be that great, and the one in Firefox to be downright terrible.

      I use PDF X-change, but there's plenty of other options: Sumatra PDF, MuPDF , etc.

      The only reason I've used Adobe Reader recently was a stupid form that had scripting in it, that wouldn't work in any alternate viewer.

  • by Rosco P. Coltrane ( 209368 ) on Wednesday January 11, 2017 @08:15PM (#53651447)

    The extension is also Windows-only, meaning Mac and Linux Chrome users will not receive it.

    Why are Mac and Linux users treated better than Windows users? That's not fair!

    • by Anonymous Coward

      Linux users always seem to get better treatment on these type of issues.

    • by crow ( 16139 )

      The Linux version hasn't been updated in years. It's the only 32-bit program left on my system.

    • Why are Mac and Linux users threated better than Windows users? That's not fair!

      Fixed that for you

  • Now instead of having to browse the internet until the PDF reader gets hit by one of its countless exploits and install the malware on your PC, now it comes with it integrated into a neat package.

  • I thought it was odd this morning when I logged onto my Windows 7 work PC that the first thing I saw upon opening Chrome was a dialogue box asking permission to install a new extension from Adobe that I hadn't asked for. I declined, of course. Now I see my suspicions that it was official spyware have been vindicated, surprise surprise.
  • I wonder if it has a standard 'use Reader to open PDFs in browsers' option. Chrome will sometimes not print random elements from PDFs. They display fine, but when printing some parts are just blank. This may be useful for use and it might be an easier solution than 'save PDF to desktop, open in Adobe and print' or 'open in IE when you want to print'.

  • USE THIS (Score:5, Interesting)

    by JBMcB ( 73720 ) on Wednesday January 11, 2017 @09:03PM (#53651625)

    https://www.sumatrapdfreader.o... [sumatrapdfreader.org]

    Small. Fast. Loads DjVu and some E-Reader formats as well. No spyware.

    • by Anonymous Coward

      I also recommend Sumatra. Faster. Less invasive. Doesn't run in-PDF javascript. Actually nicer to use too. I uninstalled Adobe years ago and haven't looked back.

      • I just wish people developing software would remember that printing is a thing, particularly for documents like PDFs. Printing from Sumatra seems to be measured in minutes-per-page rather than pages-per-minute.

        • by Anonymous Coward

          For professional pdf work (ie stuff meant to go on a 5000 lpi-capable sheetfed press), it's also poop, it has poor font support and inconsistencies in layering. Not that the internal pdf readers in FF or Chrome do any better. While everyone probably cheered around here (free embedded pdf readers yay!!), us professional printer support technicians were suddenly assaulted by clients and coworkers demanding to know why all of our proofs were broken.

    • I've been using PDF-XChange viewer for some years now and I'm really happy with it.
      Is it too good to be true? Is someone going to come along and tell me it's stealing all the beer from my fridge?

    • by nnull ( 1148259 )
      Though, I did enjoy Sumatra on Windows, the problem for me and others is that all these PDF viewers, either in linux or Windows, they don't have a lot of the nice features that Adobe Acrobat has that are just convenient to use (They literally suck). Automatically OCR a document, multipage viewing that adjusts nicely to your screen, combine PDFs or whatever documents into one PDF, scanning, all the nice tools for review and note taking, etc. I had to sacrifice a lot of this nice convenience for my employees
    • by trawg ( 308495 )

      I nearly didn't bother looking at this because you didn't include "open source" in its list of features (given how fucked so many PDF readers are in terms of security - and by that of course I mean Acrobat Reader - this is an important issue for me).

      But, it turns out it is actually open source: https://github.com/sumatrapdfr... [github.com] (GPLv3).

  • by sheramil ( 921315 ) on Wednesday January 11, 2017 @10:13PM (#53651835)
    "Members of the secret metadata trust.. we have Sheramil's Acrobat usage information right here! Let's see.. documentation for mom's smart tv... a pirate copy of Frank Herbert's 'Dune Encyclopedia'... uh... D.Gingery's book on metal lathes.. very well! How do we monetize this information?" *crickets*
    • Has Gingery's book been released on PDF? I wasn't aware of that. Gingery is a small-press business and probably are hurt tremendously by pirates distributing PDF versions of their books.

      How will we bootstrap our early 20th century machine shops from scrap material and a charcoal forge after the apocalypse if Gingery's books aren't widely distributed, particularly in post-apoc. readable paper form?

    • by Dusthead Jr. ( 937949 ) on Thursday January 12, 2017 @01:27AM (#53652249)
      I never really understood this line of thinking, that if one is living an uninteresting, unimportant life they shouldn't care if they're being spayed upon? Privacy is only for people of interest. Everyone else is fair game? I thought it was the famous people who were exempt from having private lives. Personally I think that even if all you do is go home to an empty house and stare at the walls all day you should still do it without, frankly high-tech peeping toms. Buy you should be free to choose whatever you want.
    • It's a web browser plugin, so it searches through all your browser cookies, and transfers that information. Scared now?
    • by AmiMoJo ( 196126 )

      There's lots of interesting stuff you can find out with spyware. Most people don't know how to uninstall apps, for example, so Adobe can see if they also have Sumatra or Foxit installed, i.e. who the competition is. Installed apps stats are also helpful when they want to slip their malware into other popular installers.

      They can collect data on how users react to user-hostile features and tune their abuse to get the revenue / annoying enough to use a different app ratio right. Even interaction data is really

    • by Nidi62 ( 1525137 )

      "Members of the secret metadata trust.. we have Sheramil's Acrobat usage information right here! Let's see.. documentation for mom's smart tv... a pirate copy of Frank Herbert's 'Dune Encyclopedia'... uh... D.Gingery's book on metal lathes.. very well! How do we monetize this information?" *crickets*

      "Ah, screw it. We will just tell the government that he is planning to use his metalworking skills to turn a smart TV into a smuggling device for drugs(street name 'spice') and get a nice little reward from the government. Might as well make some money off of this."

  • Can we have some perspective here? We're talking about Chrome people. Google. The masters of collecting data. If you use Chrome your data is no longer your own already. So what are you complaining about?
    • Having faith or trust in one company does not mean I have trust in another. So far Google have not negatively impacted me with personal data collection.

      On the other hand all my passwords are leaked in an unsalted hash format in a breach of Adobe along with all my account information. Their products are also an incredibly open attack vector and a security threat. I have zero faith or trust in Adobe.

    • Chrome only collects data if you want it to. Uncheck all the options under privacy and it's just another browser. Are you gonna complain that it sends every address you visit to Google? It's just the search as you type address bar doing what it's supposed to. Almost every modern browser has it and it can be disabled. Or you can change your search engine to DuckDuckGo or whatever.

      You can't have all this functionaliy without sending data somewhere.

  • by rossdee ( 243626 )

    What if you don't have Chrome installed?

    Say has anybody used the Foxit reader? How compatible is it?

    • Foxit collects a whole different range of 'anonymous' data and sends that to entirely different organisations. In that sense, it fulfills the same role, but is entirely incompatible.

  • This extension allows users to save any web page they're on as a PDF file and share it or download it to disk.

    Chrome has had these capabilities built-in for years. Go to the Print window and choose "Save as PDF".

    • That is a way smarter way to create PDFs than this stupid plug-in. In fact, many PDF programs will create a virtual printer that will accept anything sent to it and turn it into a PDF.
  • In the Chrome browser, just got to your extensions, find the Adobe extension, click on options and uncheck the box about sending info to Adobe. You can also disable the extension or click on the trash can to remove it. Hopefully one of these options will be useful to everyone unless Adobe is really sneaky and even if one takes the drastic measure of removing the extension there's enough left on your system to do the reporting work.
  • by Applehu Akbar ( 2968043 ) on Thursday January 12, 2017 @09:21AM (#53653305)

    "The extension is also Windows-only, meaning Mac and Linux Chrome users will not receive it. "

    Which is good, because if you use Mac you don't need Acrobat in the first place. In fact, the built-in PDF reader includes a number of of the editing features that Adobe users have to pay for the "Pro" edition to get.

  • Chrome prompts for permission before an extension can install and lists what the extension is requesting access to.

  • Thankfully, my chrome gave me the ole heads up. But, sketchy for Adobe to think this was a good idea. Then again, they do try to install McAfee all the time. Should have seen this coming.
  • I hit block when Chrome told me because I assumed it was malicious because..you know....I didn't ask anything to install it.
  • It's been years since I allowed one to be installed on any machine under my control. Because, on the machines not under my control, the damned thing sucked so many processor cycles and crashed so often that ... well, why would you use Adobe to read PDFs?

Avoid strange women and temporary variables.

Working...