Release date: November 17, 2008
Vulnerability identifier: APSB08-23
CVE number: CVE-2008- 5108
Platform: All Platforms
A vulnerability has been identified in Adobe AIR 1.1 and earlier that could allow an attacker who successfully exploits this potential vulnerability to execute untrusted JavaScript with elevated privileges. An Adobe AIR application must load data from an untrusted source to trigger this potential vulnerability.
AIR 1.5, which integrates Flash Player technology, includes a Flash Player update to resolve the critical issues as outlined in Flash Player Security Bulletin APSB08-22, as well as issues included in Flash Player Security Bulletins APSB08-20 and APSB08-18. Adobe recommends AIR customers update to Adobe AIR 1.5..
Adobe AIR 1.1 and earlier.
Adobe recommends all users of Adobe AIR 1.1 and earlier versions upgrade to the newest version AIR 1.5 by downloading it from the AIR Download Center, or by using the auto-update mechanism within the product when prompted.
Due to the potential vulnerabilities to Flash Player as outlined in Security Bulletin APSB08-22, Adobe categorizes this as a critical update and recommends affected users upgrade to version 1.5.
A vulnerability has been identified in Adobe AIR 1.1 and earlier that could allow an attacker who successfully exploits this potential vulnerability to execute untrusted JavaScript with elevated privileges. An Adobe AIR application must load data from an untrusted source to trigger this potential vulnerability. In addition, AIR 1.5 includes a Flash Player update to resolve the critical issues outlined in Flash Player Security Bulletin APSB08-22, as well as issues included in Flash Player Security Bulletins APSB08-20 and APSB08-18. Adobe recommends AIR customers update to Adobe AIR 1.5. These issues are remotely exploitable.
Adobe would like to thank Chris Weber of Casaba Security for reporting the AIR JavaScript execution issue and for working with Adobe to help protect our customers' security.