Users criticise Adobe for bundling Chrome plug-in with security patches

Adobe gives another masterclass in how not to do security

Users who dutifully downloaded the latest update to Adobe's PDF Reader software have hit out at the software company after finding out that the security updates had surreptitiously installed an extension to the Google Chrome web browser - if they used it - without their express permission.

Adobe Acrobat and Acrobat Reader have new updates designed to fix a vulnerability that could enable miscreants to take control of a system infected with the relevant malware.

However, it appears that in order to combat this, Abode is now automatically adding a plug-in to Chrome's browser when users update Acrobat Reader.

Adobe has been criticised in the past for being all-too-willing to try and push Chrome on users when they apply security updates for Acrobat Reader or Flash.

You do have to give permission for Adobe to "read and change all your data on websites you visit", "manage your downloads" and "communicate with cooperating native applications". That's three big asks right there. And it's not made clear that saying no won't affect the bug fixes in the main programme.

Adobe isn't exactly in a position to throw stones about security. This type of plug-in is fairly typically used in "bundleware" and adware scams. The company has long been criticised for bundling software in with the Java runtime package. And don't get us started on Adobe Flash.

This new plug-in is apparently a way of saving web pages as PDFs. But that's not fixing the problem at hand - that's adding functionality - and optional functionality at that. It answers a question no-one actually asked, especially given that Chrome has a PDF reader built in any way.

Weirdest of all - it's not even a new thing, it has been an optional extra for years, so why randomly start forcing people to bundle it now?

Adobe has stated in its teeny-weeny small print that any information about URLs isn't sent to its servers, but then why ask for the permission. And indeed why suddenly make it part of the main update randomly one day?

The issue here is that this was a security fix. Microsoft tried a similar tactic last year when it hid the Get Windows 10 update that spewed ads for Windows 10, inside a security update. Taking a highly partisan view: Security and functionality are two different things. Don't use one to meddle with the other - you hear us Adobe?