November 17th, 2008
Adobe AIR hits 'critical' security turbulence
Buried in today’s flurry of feel-good Adobe news is this less flattering nugget: Adobe AIR is vulnerable to several critical vulnerabilities that could expose users to code execution attacks.
The company released AIR 1.5 with fixes for previously discussed flaws in Flash Player (which is embedded into AIR) and a patch for a separate issue that allows the execution of untrusted JavaScript with elevated privileges.
As this bulletin explains, the issues are all remotely exploitable:
- A vulnerability has been identified in Adobe AIR 1.1 and earlier that could allow an attacker who successfully exploits this potential vulnerability to execute untrusted JavaScript with elevated privileges. An Adobe AIR application must load data from an untrusted source to trigger this potential vulnerability. In addition, AIR 1.5 includes a Flash Player update to resolve the critical issues outlined in Flash Player Security Bulletin APSB08-22, as well as issues included in Flash Player Security Bulletins APSB08-20 and APSB08-18. Adobe recommends AIR customers update to Adobe AIR 1.5. These issues are remotely exploitable.
Adobe recommends all users of Adobe AIR 1.1 and earlier versions upgrade to the newest version AIR 1.5 by downloading it from the AIR Download Center, or by using the auto-update mechanism within the product when prompted.
Ryan Naraine is a journalist and security evangelist at Kaspersky Lab. He manages Threatpost.com, a security news portal. Here is Ryan's full profile and disclosure of his industry affiliations.
For daily updates on Ryan's activities, follow him on Twitter.
Subscribe to Zero Day via Email alerts or RSS.
