Photographee.eu - Fotolia

Vulnerable Adobe extension downloads covertly to Chrome

News roundup: A flawed Adobe extension was secretly installed on 30 million Chrome browsers. Plus, the Mirai author has been identified; Google releases security details; and more.

Adobe's rocky security reputation took another hit after a Google Project Zero researcher discovered a cross-site scripting vulnerability in an automatically installed Chrome extension.

The Adobe Acrobat Chrome extension, which converts web pages into PDFs, automatically installed when Adobe patched 29 security vulnerabilities on Jan. 10. The Adobe extension only applies to Windows, and Project Zero researcher Tavis Ormandy found it already had approximately 30 million installations. The installation process happens without the user's consent or knowledge, and only makes an appearance when the browser is restarted and users are asked to give the Adobe extension permission to read and change all the data on the websites they visit, manage all the user's downloads and "communicate with cooperating native applications."

Users are given the option of removing the Adobe extension, but it is enabled by default. Another default setting of the Adobe Acrobat extension is to allow it to "send anonymous usage information to Adobe for product improvement purposes." Adobe claims that no personally identifiable information is collected, so the data is meaningless to anyone outside of Adobe.

Ormandy discovered a DOM-based cross-site scripting (XSS) vulnerability in the extension and reported it to Adobe. The vulnerability allowed privileged JavaScript code execution.

"I think [Content Security Policy] might make it impossible to jump straight to script execution," wrote Ormandy. "But you can iframe non web_accessible_resources, and easily pivot that to code execution, or change privacy options via options.html, etc."

Ormandy discovered the vulnerability in the Adobe extension and reported it to the company last week. Adobe issued an update for the extension Thursday, rating the vulnerability important.

Adobe has often been criticized for numerous security flaws in its software products, particularly multiple critical vulnerabilities in Flash that have led the industry to turn to HTML5 instead. Adobe also recently paid a $1 million settlement for a 2013 data breach that exposed millions of customer's sensitive information.

In other news:

  • Security journalist Brian Krebs believes he has identified the mysterious Anna-Senpai, the author of the Mirai malware strain that create a botnet of IoT devices. Krebs' website, KrebsonSecurity.com, was forced offline for four days in September due to a series of Mirai-powered DDoS attack. Krebs' post details how he found the identity of the Mirai co-author, a man named Paras Jha who lives in New Jersey, as well as the evolution of the Mirai malware. Jha, according to Krebs, created the code for Mirai in 2014 with others -- in a group known as "Lelddos" -- to launch attacks on servers for the online game Minecraft. "Lelddos would launch a huge DDoS attack against a Minecraft server, knowing that the targeted Minecraft server owner was likely losing thousands of dollars for each day his gaming channel remained offline," explained Krebs. Jha's LinkedIn page, interestingly, lists him as the president of a DDoS mitigation company called ProTraf Solutions.
  • Google recently let the public see under the hood of the Google Cloud Platform infrastructure. In a paper, Google described its security infrastructure in six layers: Operational security, internet communication, storage services, user identity, service deployment and hardware infrastructure. While most organizations would be worried about letting the public see into their security, Google showed little fear in making the information public. Google discussed its data center security in detail since it builds its own data centers. One of the more interesting facts noted in the paper is that Google designs custom chips, including a "hardware security chip" for both servers and peripherals. "These chips allow us to securely identify and authenticate legitimate Google devices at the hardware level," Google wrote in the paper. Another interesting takeaway is that Google doesn't host all of its servers. "Google additionally hosts some servers in third-party data centers, where we ensure that there are Google-controlled physical security measures on top of the security layers provided by the data center operator," the paper reads. "For example, in such sites we may operate independent biometric identification systems, cameras, and metal detectors."
  • Fidelis Cybersecurity Threat Research recently discovered ransomware attacks on Hadoop Distributed File System (HDFS) installations that are eerily similar to the attacks on the MongoDB and Elasticsearch databases; as with the MongoDB attacks, a threat actor was observed erasing HDFS directories and leaving behind a note. "There was no attempt to claim a ransom or any other communication -- the data was simply deleted and that directory name was left as a calling card," Fidelis wrote. "We estimate that the potential exposure of this attack is around 8,000-10,000 HDFS installations worldwide, but precise numbers are difficult to determine." Given the similarities between the HDFS attacks and the MongoDB attacks, the number of attacks on HDFS is likely to grow.
  • A new strain of ransomware called Spora has one of the most sophisticated ransom payment systems seen so far, according to experts. The ransomware targets Russian-speaking users and offers tiered payment options: Full Restore ($79); Immunity ($50) [from future attacks]; Removal ($20); and File Restore ($30). The ransomware was first noticed on Bleeping Computer and Kaspersky forums. Spora is also unique because of its encryption, which is a combination of RSA and AES algorithms, and the fact that it can work offline. Spora is spread though spam emails that look like invoices with ZIP files attached. When the user opens the ZIP files, HTML Application files that contain Spora launch and start infecting the system with the malware. Then users can choose one of the payment tiers to either fully restore their system, get immunity from the malware in the future, remove the malware or do a simple file restore. All Spora payments are made with bitcoin.

Next Steps

Learn more about browser extension security

Find out if Firefox or Chrome is the more secure browser

Check out what 2017 means for Chrome's certificate transparency

Dig Deeper on Risk management