Andrew Mager / Flickr under Creative Commons Licence

This week Adobe pushed out a series of crucial security fixes to its PDF reader. Alongside the updates, the software firm appears to have installed an extra plugin onto the computers of customers.

'You can't just change your password and make it go away': Troy Hunt on rising data breaches Hacking 'You can't just change your password and make it go away': Troy Hunt on rising data breaches


According to numerous unconnected individuals on Twitter, the latest Adobe Reader update prompts people to install a Google Chrome Plugin.

The Adobe Acrobat and Reader updates (15.023.20053) are part of a release designed to fix a flaw that could let hackers take "control of the affected system". But when you install this security fix, the Adobe Acrobat plugin is automatically added to your browser.

Read next Cisco set to buy AppDynamics for a staggering $3.7 billion Cisco set to buy AppDynamics for a staggering $3.7 billion

"It auto-installed," security expert Troy Hunt told WIRED. "I literally walked up to my PC and the prompt was already there."

When enabling or downloading the Chrome Plugin, people are required to grant it three specific permissions next time they open Chrome: to "read and change all your data on the websites you visit", "manage your downloads", and "communicate with cooperating native applications". The plugin is intended to let users easily convert websites into PDFs. It should be noted that you can choose not to enable the plugin, and you don't have to hand over permissions to Adobe in order for the bug fixes to take effect.


This technique of auto-installing plugins is typically used by hackers to get access to people's computers. Although this Adobe plugin appears to be from a legitimate source, it's concerning that a company dogged with security issues should use such a tact.

WIRED has contacted Adobe for comment on the auto-install but the firm had not responded at the point of publication.

Adobe, in support documentation, issued alongside the plugin, says URL data is not collected for the company. "This [permission] is required to allow the extension to convert HTML content to PDF," Adobe says. "However, the URL information is not sent back to Adobe."

WIRED


Hunt added: "I suspect Adobe is attempting to take a slice out of the native in-browser PDF viewers, but this certainly felt a bit too bullish."

The firm continued that the information collected only includes the browser type and version, Adobe desktop production information, and data on how menu options or buttons are selected. It does not include personal information that could be used to identify a person, for example. Adobe claims that it details how it uses that information in its privacy policy.

The Adobe security updates were introduced to stop potential hackers from accessing computers remotely and installing malware. Across Adobe Reader, Acrobat and Flash Player there were 42 fixes for known problems.