Adobe silently installs browser plugin with security update

vbimport

#1

We’ve just posted the following news: Adobe silently installs browser plugin with security update[newsimage]http://www.myce.com/wp-content/images_posts/2017/01/myce-adobe-acrobat-extension-silently-added-95x75.png[/newsimage]

Adobe has been caught with silently installing a Chrome browser extension with a security update of its Acrobat Reader. During the installation process users are not notified the plugin is installed, but as soon as they open Chrome, they are notified by the browser that a Adobe Acrobat extension has been added.

            Read the full article here: [http://www.myce.com/news/adobe-silently-installs-browser-plugin-security-update-81221/](http://www.myce.com/news/adobe-silently-installs-browser-plugin-security-update-81221/)

            Please note that the reactions from the complete site will be synched below.

#2

…and it sends data usage stats to Adobe checked by default!

I already have an PDF printer installed hence no need for another one


#3

I use Adobe Reader 9, from 7 or so years ago. There is absolutely no functionality that I need added in the new versions and as for security, I rather have that be my own responsibility to not open PDF’s containing viruses. The way I see it is you have 2 options: 1) You watch out for what you download on the web using common sense and avoid viruses AND Adobe’s spyware or 2) Have Adobe install their updates on your PC and avoid SOME malware (but not others) but have Adobe install their spyware on your PC instead.

This is not just valid for Adobe but actually the majority of software from large corporations behaves this way today. Then they come crying about how users don’t wish to update software…

If you want me to update you’re gonna have to actually show me some real benefit in doing so. “Security” has become a gimmick and we all know that is 99% down to user behavior anyway so that’s not a valid reason, I need new functionality or something to work much better than before in a major way and without removing existing functionality (I’m looking at you, Microsoft!). Otherwise there is no justification for higher disk and RAM usage. And of course if you do something unethical such as installing spyware along with it then I don’t care how good your new product is, I’m not upgrading! It’s their loss anyway, they are ones who will end up losing customers to open source software because that’s what commercial software that doesn’t innovate ends up becoming sooner or later.


#4

“I use Adobe Reader 9, from 7 or so years ago.”

Good to see that I,m not the only one not afraid to use “outdated” but still perfectly functional software that doesn’t broadcast your life history to Big Brother. BTW, still using circa 1995 Cool Edit Pro!


#5

I also got tired of Adobe Reader’s updates around 2006, as newer versions consumed too much CPU usage for me (1.8Ghz single-core Intel Celeron at the time). If only I had a way to to the same with Flash Player. Once I thought Flash was the coolest thing ever, but it eventually became the bane of my existence, especially when H.264 advertisements started appearing (seriously, my machine would lag so badly, I didn’t have enough CPU for it to process the fact that I tried to close the web browser).


#6

[QUOTE=TSJnachos117;2786871]I also got tired of Adobe Reader’s updates around 2006, as newer versions consumed too much CPU usage for me (1.8Ghz single-core Intel Celeron at the time). If only I had a way to to the same with Flash Player. Once I thought Flash was the coolest thing ever, but it eventually became the bane of my existence, especially when H.264 advertisements started appearing (seriously, my machine would lag so badly, I didn’t have enough CPU for it to process the fact that I tried to close the web browser).[/QUOTE]

Older versions of Flash Player generally have better performance on older machines. I personally use 11.9 even on my newer PC’s. They have made no noticeable functionality upgrades since version 10 which a lot of people still use and may be faster but 11 works well for me. 11 is also the last release ever for Linux OS’s and Adobe themselves have told developers to stop using Flash and switch to HTML5 which tells us that they will not be adding any more functionality to Flash, ever.

As for the ads, you can’t really browse the web today without using an Adblocker, especially on older computers. If you want even better performance disable Flash and Javascript on all websites except ones that really require it or don’t waste resources with it for useless features. This is also the only way to avoid security issues with Flash, while not having to resort to upgrading to new bloated versions without new features added.

Here are downloads for old Flash versions from Macromedia’s (or Adobe or whatever) official site:

11.9 (one I use): http://download.macromedia.com/pub/flashplayer/installers/archive/fp_11.9.900.117_archive.zip
10.3 (may be faster): http://download.macromedia.com/pub/flashplayer/installers/archive/fp_10.3.183.90_archive.zip

Install the one ending with “_win.exe” if you’re using Netscape based browsers (NPAPI, aka everything but IE) or the “_winax.exe” one if you’re on Internet Explorer (ActiveX).


#7

Not surprised at all.

Yet another reason I’m glad I abandoned Adobe Acrobat Reader in favour of Foxit a dozen years ago.


#8

[QUOTE=aztekk;2786878]Older versions of Flash Player generally have better performance on older machines. I personally use 11.9 even on my newer PC’s. They have made no noticeable functionality upgrades since version 10 which a lot of people still use and may be faster but 11 works well for me. 11 is also the last release ever for Linux OS’s and Adobe themselves have told developers to stop using Flash and switch to HTML5 which tells us that they will not be adding any more functionality to Flash, ever.

As for the ads, you can’t really browse the web today without using an Adblocker, especially on older computers. If you want even better performance disable Flash and Javascript on all websites except ones that really require it or don’t waste resources with it for useless features. This is also the only way to avoid security issues with Flash, while not having to resort to upgrading to new bloated versions without new features added.

Here are downloads for old Flash versions from Macromedia’s (or Adobe or whatever) official site:

11.9 (one I use): http://download.macromedia.com/pub/flashplayer/installers/archive/fp_11.9.900.117_archive.zip
10.3 (may be faster): http://download.macromedia.com/pub/flashplayer/installers/archive/fp_10.3.183.90_archive.zip

Install the one ending with “_win.exe” if you’re using Netscape based browsers (NPAPI, aka everything but IE) or the “_winax.exe” one if you’re on Internet Explorer (ActiveX).[/QUOTE]
It should be mentioned that using an old version is very risky. Adobe Flash is one of the most popular attack vectors for web-based attacks & malware. Older versions will contain unpatched vulnerabilities.


#9

[QUOTE=Ibex;2786882]It should be mentioned that using an old version is very risky. Adobe Flash is one of the most popular attack vectors for web-based attacks & malware. Older versions will contain unpatched vulnerabilities.[/QUOTE]

Thus I recommended disabling the Flash plugin on all websites except for trusted ones (youtube etc). I’ve been working in cyber security for over 10 years and it has always disturbed me when customers whether they be business or home users rely on security updates for their protection, I even had a bit of a “debate” over this recently on another forum. This is exactly the way you get hacked, waiting for companies to detect the malware, analyze it, patch it, validate the patch then deliver it to the users. It takes time to do all of that, and even after its done you are only protected from that one specific vulnerability and malware authors are constantly developing new ones. Relying on software updates is not a serious security precaution. If you want to secure your system or network the only way you can effectively do that is by blocking and/or changing user behavior. The latter is easier in a home environment, the former can be employed in all cases and is the only truly effective measure, blocking execution of attack code.

Of course you are relying on the websites you whitelist to not get penetrated by hackers, thus you need to be very careful while crafting the list. Sites like youtube or usatoday have a rather low chance of being hacked, and in case they did an even lower chance you actually got infected because they have employed professional teams who work on detecting and countering such hacking attempts 24/7. In any case it’s more than likely that if a high profile site such as USAToday.com got hacked and is serving exploit code that is likely to be 0-day anyway. Since it takes a lot of time and skill (and money) to execute such an attack I don’t think the attackers would be wasting their time serving public exploits that not only would have a lower infection rate but also be detected much faster (within minutes) by all antivirus website scanners. In the past most successful hacking cases of that sort and magnitude have served 0-day exploits in their payload. You can buy 0-day Flash exploits today for about $10,000 on Russian malware boards, so its not a difficult task obtaining that part if you have the cash. This is in fact the reason all major browser manufacturers have taken the decision to disable Java and Flash in their browsers in recent years, Oracle and Adobe have not been able / are unwilling to keep up with patching new exploits at the same rate they are introduced to the public.

So in other words, of course you are correct in that old versions of Flash (and many other software) contain unpatched vulnerabilities that are still being actively exploited on the web but it is wrong to suggest that after updating to the latest version everything is hunky dory. Adobe Flash along with Sun/Oracle Java are as you said the biggest attack vectors for web exploits today, and the reason for that is largely their ineffectiveness or unwillingness in patching exploits on time, to such an extent that browser vendors had to take action on their own (Firefox blocked Java and Flash and sent out open letters demanding they fix their vulnerabilities, Adobe complied and Oracle did not).

It is up to one’s personal deliberation whether to consider the benefits of having a significantly faster, non-bloated piece of software substantial enough to have to take on more responsibility for personal security and giving up on relying on software updates saving the day (which you shouldn’t do per se, but they do help in some cases sure). For me it is a non-brainer, even if the worst case scenario happens and my system gets infected somehow, I have the know how and ability to detect and remove malware very quickly. I have been sitting in an ASM debugger analyzing modern malware long enough to know its way around and in most cases removing it is relatively pain-free. This likely explains my disdain for security updates. But as I said for each their own, some may rather trust their security to a third party even if they are known to do an inadequate job, simply due to lack of experience with removing malware, but I honestly believe that in this case, with the Flash plugin, its pretty safe and easy enough to take security to your own hands and just enjoy the benefits of being able to watch videos on an old PC…


#10

I also switched to Foxit along time ago.


#11

Ugh! Again with Installing things and sending data without a GUI option to deny or accept such things in GUI? Just what are these tech company’s doing? is it just profit for them no shred of integrity anymore?


#12

[QUOTE=AaronZ26593;2786994]Ugh! Again with Installing things and sending data without a GUI option to deny or accept such things in GUI? Just what are these tech company’s doing? is it just profit for them no shred of integrity anymore?[/QUOTE]
And you think other companies are any different? I highly doubt they are different but do it differently. One should be at least glad they are patching security holes instead of leaving them wide open aka Apple O/S only admit it when your caught denying there is no security holes. I use Acrobat Pro so I don’t have to worry but it is also up to the user themselves to be prudent and do their own homework to keep their software up to date as well. All software from time to time and some more will need updates that is the nature of software to keep it working as it was intended to do aka Windows O/S. Also if your the best known aka Adobe/Windows and most used do you seriously think you don’t have a bullseye on your back? Common folks we have to be realistic here as well. @aztekk - As for someone whom mention having worked in the field they should know this by now.