Adobe eliminates critical vulnerabilities in AIR
Adobe has issued security update 1.5 for AIR (Adobe Integrated Runtime) to eliminate a security vulnerability. AIR is an operating-system independent runtime environment in which local applications can be developed using web techniques. Adobe says the vulnerability could allow untrusted JavaScript to be executed with elevated privileges, though "an Adobe AIR application must load data from an untrusted source to trigger this potential vulnerability".
The AIR update also contains an update for the Flash Player components, for versions 9 and 10 of which bugfixes recently appeared (Bugfixes). With this move, Adobe has now belatedly supplied information about other, hitherto unknown security vulnerabilities that are eliminated by this update. Although Adobe gives no details, these vulnerabilities in Flash Player are alleged to have been remotely exploitable to infect a computer with malicious code. The report says all this required was visiting a web site or opening an email.
For that reason, Adobe is classifying the AIR update as critical. Users should not hesitate to install the new version.
See also:
- AIR update available to address security vulnerabilities, security advisory from Adobe
- Additional disclosure of security vulnerabilities fixed in Flash Player 10.0.12.36 and Flash Player 9.0.151.0, security advisory from Adobe
(djwm)