Project Zero finds XSS bug in auto-installed Adobe Acrobat Chrome extension

Adobe automatically installed Chrome extensions found to leave millions vulnerable to cross-site scripting attack.

Last week Adobe released an update to Acrobat that had a potentially unwanted passenger along for the ride, an automatically installed Chrome extension that prompted the user to allow it to view and manipulate web pages visited, and manage downloads on the next time Chrome was loaded.

Upon its release, Project Zero security researcher Tavis Ormandy found it left users vulnerable to cross-site scripting attacks.

"I think CSP [Content Security Policy] might make it impossible to jump straight to script execution, but you can iframe non web_accessible_resources, and easily pivot that to code execution, or change privacy options via options.html, etc," Ormandy wrote in the Project Zero issue tracker.

"I can see from the webstore statistics it's already got ~30M installations."

In response, Adobe said it had released a new version of the extension, which also phones home with information the company says is only for product improvement reasons.

The installation of the extension is only pushed by Adobe to users running Windows, and according to Decent Security, the extension can be blacklisted from a policy standpoint.

Earlier this month, Ormandy called out Kaspersky for simplistically storing certificates that left users open to TLS certificate collisions, thanks to the Russian security company only storing the first 32 bits of an MD5 hash in the SSL proxy packaged with its Anti-Virus product.

"You don't have to be a cryptographer to understand a 32-bit key is not enough to prevent brute-forcing a collision in seconds," Ormandy said.