Got Adobe Reader on your Android device? You had best update it ASAP

               

A critical security vulnerability has been found in Adobe Reader Mobile, the version of the popular PDF Reader developed for the Android operating system, which could lead to remote hackers compromising documents stored on your Android device and its SD memory card.

If you were feeling smug that you had managed to avoid the Heartbleed flaw affecting up to 50 million Android users because you’re not running Android 4.1.1 of Jellybean, then perhaps you should wipe that smile off your face.

Because there’s every possibility that you’re running a vulnerable version of Adobe Reader on your Android, which is carrying by a critical (if not Heartbleed-related) security hole.

In fact, it is believed that the Android version of Adobe Reader is used on between “100 million to 500 million” devices around the world - meaning that could be a fair number of affected users.

The Adobe Reader security hole was uncovered by security researcher Yorick Koster, who discovered that it was possible for malicious attackers to create a boobytrapped PDF file that would cause remote code execution to occur on the Android version of Adobe Reader, and run malicious Javascript code within the Reader app.

An attacker can create a specially crafted PDF file containing Javascript that runs when the target user views (or interacts with) this PDF file. Using any of the Javascript objects listed above provides the attacker access to the public Reflection APIs inherited from Object. These APIs can be abused to run arbitrary Java code.

Koster released proof-of-concept code demonstrating how the flaw could be abused by attackers, and informed Adobe of the problem.

In a security advisory, Adobe underlined that version 11.1.3 and earlier of Adobe Reader Mobile for Android are vulnerable to the flaw (dubbed CVE-201400514), which exploits a vulnerability in its implementation of Javascript APIs.

To fix the flaw, Adobe has released version 11.2.0 of its Reader software for Android smartphones and tablets, which is available from the official Google Play store.

Version 11.2.0 of Adobe’s Reader software for Android described the update as providing “Improved Security”:

To keep you safe, Reader now uses Android’s built-in JavaScript security. This additional protection is available on Android versions 4.2 and newer. For users running old versions of Android, we disabled JavaScript when filling forms on devices t make sure those users are safe too.

Obviously, as with Adobe software for your PC or Apple Mac, the only safe course of action is to download your Adobe updates from official outlets. It’s all too common to see cybercriminals attempt to spread their malware attacks by disguising them as security updates from the likes of Adobe.

Take care online, and ensure that all your computing devices are kept up-to-date with security patches - whether they be on your desktop, your laptop, or in your pocket.

This article originally appeared on the Lumension blog.

Tags: , , , ,

Share this article:

   Join thousands of others and sign up to our free "GCHQ" newsletter.

Smashing Security podcast
Check out "Smashing Security", the award-winning weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"It's brilliant!" • "Three people having fun in an industry often focused on bad news" • Winner of the Best Security Podcast 2018

Latest episodes:
Listen on Apple Podcasts Listen on Google Podcasts

, , , ,

No comments yet.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.