Adobe issues silent security update in Reader for Android

Last week's new version 11.2.0 of Adobe Reader on Android contains new features and a critical security fix that was only disclosed yesterday.

A new version of Adobe Reader for Android released on April 10 fixed a critical security vulnerability.

The "What's New" section of the Adobe Reader page on Google Play for version 11.2.0 lists several new features but no security updates.

On April 13, Dutch information security firm Securify posted an advisory on the Full-Disclosure mailing list for a vulnerability in Adobe Reader for Android version 11.1.3 which was fixed in version 11.2.0. They also have the advisory on their own site.

The vulnerable version of Reader exposes several insecure Javascript interfaces. Using the vulnerability a malicious PDF could execute arbitrary Java code. The code would run in the app sandbox for Reader, so documents available to Readers could be compromised, and the attack code could create new files, but no damage would be possible outside the sandbox.

On April 14 Adobe issued an advisory (APSB14-12) for the vulnerability. The advisory credits Yorick Koster of Securify BV for reporting the vulnerability and working with Adobe responsibly.