=====================================================================
                                   CERT-Renater

                        Note d'Information No. 2008/VULN529
_____________________________________________________________________

DATE                      : 18/11/2008

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running Adobe AIR.

======================================================================
http://www.adobe.com/support/security/bulletins/apsb08-23.html
______________________________________________________________________

AIR update available to address security vulnerabilities

Release date: November 17, 2008

Vulnerability identifier: APSB08-23

CVE number: CVE-2008- 5108

Platform: All Platforms
Summary

A vulnerability has been identified in Adobe AIR 1.1 and earlier that
could allow an attacker who successfully exploits this potential
vulnerability to execute untrusted JavaScript with elevated privileges.
An Adobe AIR application must load data from an untrusted source to
trigger this potential vulnerability.

AIR 1.5, which integrates Flash Player technology, includes a Flash
Player update to resolve the critical issues as outlined in Flash
Player Security Bulletin APSB08-22, as well as issues included in Flash
Player Security Bulletins APSB08-20 and APSB08-18. Adobe recommends AIR
customers update to Adobe AIR 1.5..
Affected software versions

Adobe AIR 1.1 and earlier.


Solution

Adobe recommends all users of Adobe AIR 1.1 and earlier versions upgrade
to the newest version AIR 1.5 by downloading it from the AIR Download Center,
or by using the auto-update mechanism within the product when prompted.
Severity rating

Due to the potential vulnerabilities to Flash Player as outlined in Security
Bulletin APSB08-22, Adobe categorizes this as a critical update and recommends
affected users upgrade to version 1.5.
Details

A vulnerability has been identified in Adobe AIR 1.1 and earlier that could
allow an attacker who successfully exploits this potential vulnerability to
execute untrusted JavaScript with elevated privileges. An Adobe AIR
application must load data from an untrusted source to trigger this potential
vulnerability. In addition, AIR 1.5 includes a Flash Player update to resolve
the critical issues outlined in Flash Player Security Bulletin APSB08-22, as
well as issues included in Flash Player Security Bulletins APSB08-20 and
APSB08-18. Adobe recommends AIR customers update to Adobe AIR 1.5. These
issues are remotely exploitable.
Acknowledgments

Adobe would like to thank Chris Weber of Casaba Security for reporting the
AIR JavaScript execution issue and for working with Adobe to help protect
our customers' security.

======================================================================

          =========================================================
          Les serveurs de référence du CERT-Renater
          http://www.urec.fr/securite
          http://www.cru.fr/securite
          http://www.renater.fr
          =========================================================
          + CERT-RENATER          | tel : 01-53-94-20-44          +
          + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
          + 75013 Paris           | email: certsvp@renater.fr     +
          =========================================================