Adobe Acrobat Force-Installed Vulnerable Chrome Extension

Adobe Acrobat s Chrome extension was found to be vulnerable due Adobe Acrobat's Chrome extension was found to be vulnerable due to its unusual force-installation by the desktop application. This flaw allowed malicious websites to achieve privilege escalation, potentially leading to arbitrary code execution on a user's system.

The vulnerability posed a significant security risk, enabling attackers to bypass browser security models and potentially gain control over the user's computer, steal data, or install malware.

Discovered by a security researcher, Adobe promptly released updates for both the Acrobat desktop application and the Chrome extension itself. Users were urged to update their software immediately to mitigate the risk. Google also took action, blocking older, vulnerable versions of the extension from the Chrome Web Store.

On January 12th, an automatic Adobe Acrobat update force installed a new chrome extension with ID efaidnbmnnnibpcajpcglclefindmkaj. You can view it on the Chrome Webstore here: https://chrome.google.com/webstore/detail/adobe-acrobat/efaidnbmnnnibpcajpcglclefindmkaj/

I can see from the webstore statistics it's already got ~30M installations.

It didn't take long to notice there's a DOM XSS in data/js/frame.html

531 } else if (request.current_status === "failure") {
532 analytics(events.TREFOIL_HTML_CONVERT_FAILED);
533 if (request.message) {
534 str_status = request.message;
535 }
536 success = false;

Presumably you can do

window.open("chrome-extension://efaidnbmnnnibpcajpcglclefindmkaj/data/js/frame.html?message=" + encodeURIComponent(JSON.stringify({
panel_op: "status",
current_status: "failure",
message: "<h1>hello</h1>"
})));

I think CSP might make it impossible to jump straight to script execution, but you can iframe non web_accessible_resources, and easily pivot that to code execution, or change privacy options via options.html, etc.

I've also noticed the way they've designed the "to_html" RPC seems racy, the url of a tab might change (because an attacker can do x = window.open(); x.location = "new location"). Right now I don't think you can do very much with it because it doesn't seem to be feature complete...but still, it seems worth noting this so it doesn't introduce a vulnerability when they enable it.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.