It would be a shame if this experience put users off of automatically installing security patches it would not only put their own devices at risk, but would also make the internet as a whole less secure. Ormandy reported the XSS flaw to Adobe, who rated the vulnerability important and patched it a few days later. Once enabled, the extension exposed users to a potential XSS attack. As the Enable option was set by default, that is probably what most people chose. Chrome's security mechanisms block extensions from being enabled automatically, and so prompted users to either grant the Adobe Acrobat Chrome extension permission to access data on sites they visit, communicate with cooperating native applications and manage downloads, or to remove it from the browser. The purpose of the extension is to convert webpages into PDF files, but users only discovered it the next time they opened Chrome after the Patch Tuesday updates. At the time of the discovery, Chrome Web Store statistics showed there had been 30 million plus installations - an attractive user base for anyone looking to exploit the vulnerability. The number of user reviews complaining about the extension prompted Google Project Zero researcher Tavis Ormandy to examine the extension's code, and he discovered a Document Object Model-based, cross-site scripting (XSS) vulnerability that enabled privileged JavaScript code execution. Privacy experts and users quickly criticized Adobe's actions not only was the extension installed without users' approval, but it also sent anonymous telemetry data back to Adobe by default. Users had no option to block the installation, and it was not mentioned in the change log. 10, addressed 29 vulnerabilities it also silently installed an Adobe Acrobat Chrome extension on users' Windows PCs. The update for Adobe Acrobat Reader DC, released on Jan.
However, many users can be lax about ensuring they have the latest security patches installed, which is why most software vendors now push patches to users' machines automatically.Īdobe issues security updates for its products on Patch Tuesday, and they are automatically installed as the default setting. Keeping software up to date and patched is a critical aspect of IT security.
0 kommentar(er)
