Adobe Acrobat browser extension hollowing out same-origin policy

Gandalf_The_Grey

Level 61
Thread author
Verified
Helper
Top poster
Content Creator
Well-known
Apr 24, 2016
5,054
It’s unclear whether all the countless people who have the Adobe Acrobat browser extension installed actually use it. The extension being installed automatically along with the Adobe Acrobat application, chances are that they don’t even know about it. But security-wise it doesn’t matter, an extension that’s installed and unused could still be exploited by malicious actors. So a few months ago I decided to take a look.

To my surprise, the extension itself did almost nothing despite having a quite considerable code size. It’s in fact little more than a way to present Adobe Document Cloud via an extension, all of the user interface being hosted on Adobe’s servers. To make this work smoother, Adobe Acrobat extension grants documentcloud.adobe.com website access to some of its functionality, in particular a way to circumvent the browser’s same-origin policy (SOP). And that’s where trouble starts, it’s hard to keep these privileges restricted to Adobe properties.

Companies don’t usually like security reports pointing out that something bad could happen. So I went out on a quest to find a Cross-site Scripting (XSS) vulnerability allowing third-party websites to abuse the privileges granted to documentcloud.adobe.com. While I eventually succeeded, this investigation yielded a bunch of dead ends that are interesting on their own. These have been reported to Adobe, and I’ll outline them in this article as well.

TL;DR: Out of six issues reported, only one is resolved. The main issue received a partial fix, two more got fixes that didn’t quite address the issue. Two (admittedly minor) issues haven’t been addressed at all within 90 days from what I can tell.
 

The_King

Level 12
Verified
Top poster
Well-known
Aug 2, 2020
561
I'm personally glad no more Adobe software hogging up my CPU.

No Adobe flash no Adobe PDF for me. (y)
 
  • Like
Reactions: Asterixpl

Asterixpl

Level 10
Verified
Mar 19, 2022
469
I've been messing around with PDF viewers a bit lately as you know.

I don't have any program from Acrobat on my disk anymore. I use SumatraPDF to view the PDF.

My problem with Adobe Acrobat Reader is over. When I had Adobe Acrobat Reader installed the installation was well over 700MB.
SumatraPDF takes me exactly 18.7MB
 
  • Like
Reactions: mkoundo

byronbytes

Level 2
Mar 30, 2022
47
I don't like Adobe softawre for two reasons.

- One application causes bloat on the entire device with unnessesary background services.
- Overpriced

It hogs resources that it shouldn't need to. If I want to open photoshop, only open photoshop, not 12 other processes in the background.

(Also, I would say something, but I'm not. If you know, you know.)
 
  • Applause
Reactions: Asterixpl

Asterixpl

Level 10
Verified
Mar 19, 2022
469
I'm guessing :)
For me SumatraPDF, is sufficient to view PDF files. I don't expect anything else from it.
 

Andy Ful

Level 81
Verified
Helper
Top poster
Developer
Well-known
Dec 23, 2014
7,006
I use Xodo Pdf (Xodo Technologies Inc.). Fast and very safe.
  1. It allows safely viewing the PDF documents and MS Office documents.
  2. It is the fastest PDF viewer for large files.
  3. It can run in AppContainer.
  4. It blocks active content embedded in documents.
  5. It is from Microsoft Store (UWP app) so can be additionally protected by Exploit Protection mitigation: "Code integrity guard" (BlockNonMicrosoftSigned, AllowStoreSigned).
 
Last edited:

Asterixpl

Level 10
Verified
Mar 19, 2022
469
I use Xodo Pdf (Xodo Technologies Inc.). Fast and very safe.
  1. It allows safely viewing the PDF documents and MS Office documents.
  2. It is the fastest PDF viewer for large files.
  3. It is running in AppContainer.
  4. It blocks active content embedded in documents.
  5. It is from Microsoft Store (UWP app) so can be additionally protected by Exploit Protection mitigation: "Code integrity guard" (BlockNonMicrosoftSigned, AllowStoreSigned).

According to the description, it looks interesting. I think I will install it and check it out
 
  • Like
Reactions: Andy Ful