Adobe Acrobat browser extension hollowing out same-origin policy

[Gandalf_The_Grey]

Content source

https://palant.info/2022/04/19/adobe-acrobat-hollowing-out-same-origin-policy/

It’s unclear whether all the countless people who have the Adobe Acrobat browser extension installed actually use it. The extension being installed automatically along with the Adobe Acrobat application, chances are that they don’t even know about it. But security-wise it doesn’t matter, an extension that’s installed and unused could still be exploited by malicious actors. So a few months ago I decided to take a look.

To my surprise, the extension itself did almost nothing despite having a quite considerable code size. It’s in fact little more than a way to present Adobe Document Cloud via an extension, all of the user interface being hosted on Adobe’s servers. To make this work smoother, Adobe Acrobat extension grants documentcloud.adobe.com website access to some of its functionality, in particular a way to circumvent the browser’s same-origin policy (SOP). And that’s where trouble starts, it’s hard to keep these privileges restricted to Adobe properties.

Companies don’t usually like security reports pointing out that something bad could happen. So I went out on a quest to find a Cross-site Scripting (XSS) vulnerability allowing third-party websites to abuse the privileges granted to documentcloud.adobe.com. While I eventually succeeded, this investigation yielded a bunch of dead ends that are interesting on their own. These have been reported to Adobe, and I’ll outline them in this article as well.

TL;DR: Out of six issues reported, only one is resolved. The main issue received a partial fix, two more got fixes that didn’t quite address the issue. Two (admittedly minor) issues haven’t been addressed at all within 90 days from what I can tell.

 

[The_King]

I'm personally glad no more Adobe software hogging up my CPU.

No Adobe flash no Adobe PDF for me.

 

[M4RT1NE2]

I've been messing around with PDF viewers a bit lately as you know.

I don't have any program from Acrobat on my disk anymore. I use SumatraPDF to view the PDF.

My problem with Adobe Acrobat Reader is over. When I had Adobe Acrobat Reader installed the installation was well over 700MB.
SumatraPDF takes me exactly 18.7MB

 

[byronbytes]

I don't like Adobe softawre for two reasons.

- One application causes bloat on the entire device with unnessesary background services.
- Overpriced

It hogs resources that it shouldn't need to. If I want to open photoshop, only open photoshop, not 12 other processes in the background.

(Also, I would say something, but I'm not. If you know, you know.)

 

[L0ckJaw]

Fox it reader

 

[M4RT1NE2]

Fox it reader

Installation file over 190 MB ?

SumatraPDF less than 7,3 MB

 

[L0ckJaw]

Foxit is more professional than Sumatra

 

[M4RT1NE2]

I'm guessing
For me SumatraPDF, is sufficient to view PDF files. I don't expect anything else from it.

 

[Gandalf_The_Grey]

But with the modern browsers being capable of reading pdf files do you really need an alternative pdfreader?

 

[M4RT1NE2]

But with the modern browsers being capable of reading pdf files do you really need an alternative pdfreader?

You're right .
But in my case it's probably out of habit that way.
There has always been a separate program on disk for PDF files (Acrobat, etc).

 

[L0ckJaw]

But with the modern browsers being capable of reading pdf files do you really need an alternative pdfreader?

Yes need to sign documents digitally, this is not working when using browser .

 

[Andy Ful]

I use Xodo Pdf (Xodo Technologies Inc.). Fast and very safe.

1. It allows safely viewing the PDF documents and MS Office documents.
2. It is the fastest PDF viewer for large files.
3. It can run in AppContainer.
4. It blocks active content embedded in documents.
5. It is from Microsoft Store (UWP app) so can be additionally protected by Exploit Protection mitigation: "Code integrity guard" (BlockNonMicrosoftSigned, AllowStoreSigned).

 

[M4RT1NE2]

I use Xodo Pdf (Xodo Technologies Inc.). Fast and very safe.

1. It allows safely viewing the PDF documents and MS Office documents.
2. It is the fastest PDF viewer for large files.
3. It is running in AppContainer.
4. It blocks active content embedded in documents.
5. It is from Microsoft Store (UWP app) so can be additionally protected by Exploit Protection mitigation: "Code integrity guard" (BlockNonMicrosoftSigned, AllowStoreSigned).

According to the description, it looks interesting. I think I will install it and check it out