Adobe issues silent security update in Reader for Android

Adobe issues silent security update in Reader for Android

Summary: Last week's new version 11.2.0 of Adobe Reader on Android contains new features and a critical security fix that was only disclosed yesterday.

TOPICS: Security, Android

A new version of Adobe Reader for Android released on April 10 fixed a critical security vulnerability.

The "What's New" section of the Adobe Reader page on Google Play for version 11.2.0 lists several new features but no security updates.

On April 13, Dutch information security firm Securify posted an advisory on the Full-Disclosure mailing list for a vulnerability in Adobe Reader for Android version 11.1.3 which was fixed in version 11.2.0. They also have the advisory on their own site.

The vulnerable version of Reader exposes several insecure Javascript interfaces. Using the vulnerability a malicious PDF could execute arbitrary Java code. The code would run in the app sandbox for Reader, so documents available to Readers could be compromised, and the attack code could create new files, but no damage would be possible outside the sandbox.

On April 14 Adobe issued an advisory (APSB14-12) for the vulnerability. The advisory credits Yorick Koster of Securify BV for reporting the vulnerability and working with Adobe responsibly.

Topics: Security, Android

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Just another reason

    Just another reason to disable JavaScript within Reader. It's easy to do, and has affected nearly zero percent of the PDF content I've come across.

    Edit > Preferences > JavaScript > uncheck "Enable Acrobat JavaScript"
    • Of course, that doesn't help on the Android side of things...

      Disabling JavaScript is only available on the Windows side AFAIK.
  • Adobe sucks!

    Adobe is the epitome of security holes!! as soon as they release a "fixed" version, out comes a "fix" for the "fix". I tell my clients that have been affected by an adobe "hole", to use an alternate reader.
    @ejhonda thank you for your suggestion.