Adobe angers Chrome users by bundling browser plugin with security update
on
Get link
Facebook
Twitter
Pinterest
Email
Other Apps
Peter Bright
Adobe rolled out a set of patches for Acrobat,
Adobe Reader, and Flash on Patch Tuesday this week, and the update had
an unwelcome surprise in store for Chrome users. After updating their
systems, they found that Chrome was prompting them to enable an
extension from Adobe.
The extension does a couple of things; it
provides a quick way to convert a Web page into a PDF if you have a
full, paid version of Acrobat, and it lets you choose to open PDFs in
Adobe Reader rather than using Chrome's built-in PDF support. This is
occasionally useful for using PDF features that the browser-based
support doesn't offer. The extension has existed for some years. The
new, more aggressive distribution is new,
however. The plugin seeks permission to do three things; "read and
change all data on the websites you visit," "manage your downloads," and
"communicate with cooperating native applications." The level of access
required appears to be consistent with the plugin's stated purpose: as
it can make a PDF of any page, it needs to have access to any page, and
Chrome does not distinguish between extensions that read from pages and
those that modify them.
The extension also collects basic information
and sends this to Adobe. This tracking appears to be on by default,
though it can be disabled through the extension's options page. Adobe states that this information is anonymous and does not include URL data.
With latest Reader update,
Adobe is automatically prompting users to install a Chrome extension
which includes telemetry. Says no URLs. pic.twitter.com/PnDV4Zy0fv
Given how long it has been available, it's
likely that the extension itself is harmless enough and serves
its official purpose. Regardless of whether users enable the extension
or not, the security fixes are applied correctly. But the decision
to install the extension apparently unprompted, as part of a security
update, has provoked plenty of complaint from security-minded users. The
general feeling is that security fixes are too important to be made
intrusive, and that users should never be wary of installing a security
fix for fear of that fix including unwanted features that are coming
along for the ride. Automatically installed plugins, even if those
plugins are not enabled, would be just the kind of unwanted behavior
that generates skepticism around security fixes.
Comments
Post a Comment