Adobe Acrobat browser extension hollowing out same-origin policy

Gandalf_The_Grey

Gandalf_The_Grey

Level 76
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,586
Content source
https://palant.info/2022/04/19/adobe-acrobat-hollowing-out-same-origin-policy/
It’s unclear whether all the countless people who have the Adobe Acrobat browser extension installed actually use it. The extension being installed automatically along with the Adobe Acrobat application, chances are that they don’t even know about it. But security-wise it doesn’t matter, an extension that’s installed and unused could still be exploited by malicious actors. So a few months ago I decided to take a look.

To my surprise, the extension itself did almost nothing despite having a quite considerable code size. It’s in fact little more than a way to present Adobe Document Cloud via an extension, all of the user interface being hosted on Adobe’s servers. To make this work smoother, Adobe Acrobat extension grants documentcloud.adobe.com website access to some of its functionality, in particular a way to circumvent the browser’s same-origin policy (SOP). And that’s where trouble starts, it’s hard to keep these privileges restricted to Adobe properties.

Companies don’t usually like security reports pointing out that something bad could happen. So I went out on a quest to find a Cross-site Scripting (XSS) vulnerability allowing third-party websites to abuse the privileges granted to documentcloud.adobe.com. While I eventually succeeded, this investigation yielded a bunch of dead ends that are interesting on their own. These have been reported to Adobe, and I’ll outline them in this article as well.

TL;DR: Out of six issues reported, only one is resolved. The main issue received a partial fix, two more got fixes that didn’t quite address the issue. Two (admittedly minor) issues haven’t been addressed at all within 90 days from what I can tell.
Click to expand...
 
  • Like
  • +Reputation
Reactions: Andy Ful, Kongo, mkoundo and 3 others
The_King

The_King

Level 12
Verified
Top Poster
Well-known
Aug 2, 2020
542
I'm personally glad no more Adobe software hogging up my CPU.

No Adobe flash no Adobe PDF for me. (y)
 
  • Like
Reactions: M4RT1NE2
M4RT1NE2

M4RT1NE2

Level 14
Verified
Top Poster
Well-known
Mar 19, 2022
650
I've been messing around with PDF viewers a bit lately as you know.

I don't have any program from Acrobat on my disk anymore. I use SumatraPDF to view the PDF.

My problem with Adobe Acrobat Reader is over. When I had Adobe Acrobat Reader installed the installation was well over 700MB.
SumatraPDF takes me exactly 18.7MB
 
  • Like
Reactions: mkoundo
byronbytes

byronbytes

Level 2
Mar 30, 2022
51
I don't like Adobe softawre for two reasons.

- One application causes bloat on the entire device with unnessesary background services.
- Overpriced

It hogs resources that it shouldn't need to. If I want to open photoshop, only open photoshop, not 12 other processes in the background.

(Also, I would say something, but I'm not. If you know, you know.)
 
  • Applause
Reactions: M4RT1NE2
M4RT1NE2

M4RT1NE2

Level 14
Verified
Top Poster
Well-known
Mar 19, 2022
650
I'm guessing :)
For me SumatraPDF, is sufficient to view PDF files. I don't expect anything else from it.
 
Gandalf_The_Grey

Gandalf_The_Grey

Level 76
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,586
But with the modern browsers being capable of reading pdf files do you really need an alternative pdfreader?
 
  • Like
Reactions: L0ckJaw and M4RT1NE2
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,129
I use Xodo Pdf (Xodo Technologies Inc.). Fast and very safe.
  1. It allows safely viewing the PDF documents and MS Office documents.
  2. It is the fastest PDF viewer for large files.
  3. It can run in AppContainer.
  4. It blocks active content embedded in documents.
  5. It is from Microsoft Store (UWP app) so can be additionally protected by Exploit Protection mitigation: "Code integrity guard" (BlockNonMicrosoftSigned, AllowStoreSigned).
 
Last edited:
  • Like
  • Applause
Reactions: Jan Willy and M4RT1NE2
M4RT1NE2

M4RT1NE2

Level 14
Verified
Top Poster
Well-known
Mar 19, 2022
650
Andy Ful said:
I use Xodo Pdf (Xodo Technologies Inc.). Fast and very safe.
  1. It allows safely viewing the PDF documents and MS Office documents.
  2. It is the fastest PDF viewer for large files.
  3. It is running in AppContainer.
  4. It blocks active content embedded in documents.
  5. It is from Microsoft Store (UWP app) so can be additionally protected by Exploit Protection mitigation: "Code integrity guard" (BlockNonMicrosoftSigned, AllowStoreSigned).
Click to expand...

According to the description, it looks interesting. I think I will install it and check it out
 
  • Like
Reactions: Andy Ful
You must log in or register to reply here.

Similar threads

silversurfer
    • Like
    • +Reputation
CISA Warns of Attacks Exploiting Adobe Acrobat Vulnerability
Replies
0
Views
1,066
News Archive
silversurfer
silversurfer
Gandalf_The_Grey
    • Like
    • +Reputation
Security News The February 2024 Security Update Review
Replies
3
Views
924
Security News
Gandalf_The_Grey
Gandalf_The_Grey
silversurfer
    • Like
    • Wow
    • Sad
New Update Microsoft Edge switches to Adobe Acrobat PDF for it's built-in PDF reader
Replies
13
Views
1,519
Microsoft Edge
B-boy/StyLe/
B-boy/StyLe/

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top