Adobe issues silent security update in Reader for Android

Summary:Last week's new version 11.2.0 of Adobe Reader on Android contains new features and a critical security fix that was only disclosed yesterday.

A new version of Adobe Reader for Android released on April 10 fixed a critical security vulnerability.

The "What's New" section of the Adobe Reader page on Google Play for version 11.2.0 lists several new features but no security updates.

On April 13, Dutch information security firm Securify posted an advisory on the Full-Disclosure mailing list for a vulnerability in Adobe Reader for Android version 11.1.3 which was fixed in version 11.2.0. They also have the advisory on their own site.

The vulnerable version of Reader exposes several insecure Javascript interfaces. Using the vulnerability a malicious PDF could execute arbitrary Java code. The code would run in the app sandbox for Reader, so documents available to Readers could be compromised, and the attack code could create new files, but no damage would be possible outside the sandbox.

On April 14 Adobe issued an advisory (APSB14-12) for the vulnerability. The advisory credits Yorick Koster of Securify BV for reporting the vulnerability and working with Adobe responsibly.

Topics: Security, Android

About

Larry Seltzer has long been a recognized expert in technology, with a focus on mobile technology and security in recent years. He was most recently Editorial Director of BYTE, Dark Reading and Network Computing at UBM Tech. Prior to that he spent over a decade consulting and writing on technology subjects, primarily in the area of sec... Full Bio

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.