Google released a small update to Android Studio today to address a pair of potentially serious vulnerabilities recently identified in the IntelliJ platform. A blog post on the JetBrains website briefly describes the issues, both of which expose users to attack if they visit a specially crafted web page. The vulnerabilities exist in all versions of Android Studio before v2.1.1 and most or all IDEs based on the intelliJ platform. So far, there have been no reports of malicious attacks exploiting these security holes.
To install the patch, just check for updates using Android Studio and let it take care of the rest. The update from v2.1.0 to v2.1.1 was only about 3 MB on a Mac. The update shouldn't change any functionality, unless you're coming from an older version, of course. The full installer packages are also up-to-date, so they may be used to replace an existing installation. For those users that need to continue using Android Studio v1.5, there is also a special build of v1.5.2 available with the necessary fixes in place.
We wanted to make you aware of an important security update for Android Studio.
Today we released the Android Studio 2.1.1 update. The incremental update addresses two security vulnerabilities in the underlying IntelliJ platform that affects all previous versions of Android Studio:
Built-in WebServer Vulnerabilities: A Cross-Site Request Forgery (CSRF) flaw in the IDE’s built-in WebServer could allow an attacker to access the local file system from a malicious web page without user consent.
Internal RPC Vulnerabilities: Over-permissive Cross-Origin Resource Sharing (CORS) settings could allow an attacker to access various internal API endpoints; gain access to data saved by the IDE; gather various meta-information, like IDE version; or open a project without permission.
We have had no reports of active customer exploitation or abuse of these newly reported issues, but it’s important that you update to this new version now.
JetBrains notified Google of two security issues that affect all versions of Android Studio and we worked together to develop a solution. These issues not only affect the Android Studio development environment but all JetBrains products built on IntelliJ Platform including IntelliJ IDEA. See JetBrains security posting here:http://blog.jetbrains.com/blog/2016/05/security-update-for-intellij-based-ides
We are offering security patches for versions 1.5.1, 2.0, and 2.1 of Android Studio to upgrade to v2.1.1. Simply go into Android Studio and check updates (Help → Check for Update [Windows/Linux] , Android Studio → Check for Updates [OS X]).
If you need to stay on Android Studio 1.5.x, we are also offering a zip file of v1.5.2, which includes the patch for the security vulnerabilities. Download the zip from Android Studio tools website (http://tools.android.com/download/studio/builds/1-5-2/) and manually install the zip package over your existing Android Studio installation.
- Android Studio (G+)