Got Adobe Reader on your Android device? You had best update it ASAP

Got Adobe Reader on your Android device? You had best update it ASAP

A critical security vulnerability has been found in Adobe Reader Mobile, the version of the popular PDF Reader developed for the Android operating system, which could lead to remote hackers compromising documents stored on your Android device and its SD memory card.

If you were feeling smug that you had managed to avoid the Heartbleed flaw affecting up to 50 million Android users because you’re not running Android 4.1.1 of Jellybean, then perhaps you should wipe that smile off your face.

Because there’s every possibility that you’re running a vulnerable version of Adobe Reader on your Android, which is carrying by a critical (if not Heartbleed-related) security hole.

Sign up to our free newsletter.
Security news, advice, and tips.

In fact, it is believed that the Android version of Adobe Reader is used on between “100 million to 500 million” devices around the world – meaning that could be a fair number of affected users.

The Adobe Reader security hole was uncovered by security researcher Yorick Koster, who discovered that it was possible for malicious attackers to create a boobytrapped PDF file that would cause remote code execution to occur on the Android version of Adobe Reader, and run malicious Javascript code within the Reader app.

An attacker can create a specially crafted PDF file containing Javascript that runs when the target user views (or interacts with) this PDF file. Using any of the Javascript objects listed above provides the attacker access to the public Reflection APIs inherited from Object. These APIs can be abused to run arbitrary Java code.

Koster released proof-of-concept code demonstrating how the flaw could be abused by attackers, and informed Adobe of the problem.

In a security advisory, Adobe underlined that version 11.1.3 and earlier of Adobe Reader Mobile for Android are vulnerable to the flaw (dubbed CVE-201400514), which exploits a vulnerability in its implementation of Javascript APIs.

To fix the flaw, Adobe has released version 11.2.0 of its Reader software for Android smartphones and tablets, which is available from the official Google Play store.

Version 11.2.0 of Adobe’s Reader software for Android described the update as providing “Improved Security”:

To keep you safe, Reader now uses Android’s built-in JavaScript security. This additional protection is available on Android versions 4.2 and newer. For users running old versions of Android, we disabled JavaScript when filling forms on devices t make sure those users are safe too.

Obviously, as with Adobe software for your PC or Apple Mac, the only safe course of action is to download your Adobe updates from official outlets. It’s all too common to see cybercriminals attempt to spread their malware attacks by disguising them as security updates from the likes of Adobe.

Take care online, and ensure that all your computing devices are kept up-to-date with security patches – whether they be on your desktop, your laptop, or in your pocket.

This article originally appeared on the Lumension blog.

Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.

Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, on Mastodon at @[email protected], or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.