Critical Vulnerabilities Fixed in Adobe AIR

Adobe has released version 2.5.1 of its Adobe AIR product in order to address critical vulnerabilities, including a zero-day one, patched in Flash Player earlier this month.

Adobe AIR is a runtime environment, which can be used to build rich internet applications (RIA) in Flash, Flex, HTML and AJAX.

The runtime is normally updated at the same time as Flash Player, because of their dependency – AIR integrates Flash Player code and features.

However, as a result of an actively exploited Flash vulnerability (CVE-2010-3654) reported as a zero-day at the end of October and because of its ubiquity, the Flash Player patches were treated as a priority.

The accelerated Flash Player update landed on November 5 and included fixes for eighteen bugs, the majority of which had a critical impact.

The new Adobe AIR 2.5.1 version patches fourteen memory corruption flaws that allow attackers to remotely execute malicious code.

Another arbitrary code execution vulnerability stems from a DLL preloading issue, which in certain situations can allow a rogue library to be executed from inside the working directory.

This is also known as binary planting and is an attack vector affecting hundreds of applications that use library loading functions in an insecure way.

A flaw which can be used to bypass the cross-domain restriction policy has also been fixed, as well as an information disclosure vulnerability affecting the Mac Adobe AIR version only.

Finally, this update addresses a denial of service condition, with a possible, but unconfirmed, arbitrary code execution impact.

In related news, security patches have been released for Adobe Flash Media Server (FMS). The new 4.0.1, 3.5.5 and 3.0.7 versions address one remote code execution and two denial of service vulnerabilities.

The latest version of Adobe AIR for Windows can be downloaded here.

The latest version of Adobe AIR for Mac can be downloaded here.

The latest version of Adobe AIR for Linux can be downloaded here.