Adobe AIR Lets Remote Users Execute Arbitrary Javascript With Elevated Privileges
|
|
SecurityTracker Alert ID: 1021242
|
|
SecurityTracker URL: http://securitytracker.com/id?1021242
|
|
CVE Reference: CVE-2008-5108
(Links to External Site)
|
Date: Nov 17 2008
|
Impact: Execution of arbitrary code via network, User access via network
|
Fix Available: Yes
Vendor Confirmed: Yes
|
Advisory: Adobe Advisory
|
Version(s): 1.1 and prior versions
|
Description: A vulnerability was reported in Adobe AIR. A remote user can cause arbitrary scripting code to be executed on the target user's system with elevated privileges.
A remote user can create specially crafted data that, when loaded by the target Adobe AIR application, will execute arbitrary scripting
code with elevated privileges on the target system.
Chris Weber of Casaba Security reported this vulnerability.
|
Impact: A remote user can create data that, when loaded by the target user's AIR application, will execute arbitrary scripting code with elevated privileges on the target user's system.
|
Solution: The vendor has issued a fixed version (1.5), available via automatic update or at:
http://get.adobe.com/air
[Editor's note:
This fix includes a fixed version of the Adobe Flash Player code that is installed by AIR. Previous versions of AIR included a
vulnerable version of Flash Player. On Windows-based systems, AIR installs a separate copy of 'npswf32.dll' that was not corrected
as part of the previous Flash Player security update. Chris J. Dixon reported this vulnerability.]
The vendor's advisory is
available at:
http://www.adobe.com/support/security/bulletins/apsb08-23.html
|
Cause: Access control error
|
Underlying OS: UNIX (OS X), Windows (Any)
|
|
Message History:
None.
|
Source Message Contents
|
Date: Mon, 17 Nov 2008 17:02:19 -0500
Subject: Adobe AIR
|
http://www.adobe.com/support/security/bulletins/apsb08-23.html
CVE-2008-5108
|
|
