Permissions, Privileges, and Access Controls in Adobe AIR

1) Permissions, Privileges, and Access Controls

EUVDB-ID: #VU31705

Risk: High

CVSSv4.0: 5.7 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2011-2458

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

Adobe Flash Player before 10.3.183.11 and 11.x before 11.1.102.55 on Windows, Mac OS X, Linux, and Solaris and before 11.1.102.59 on Android, and Adobe AIR before 3.1.0.4880, when Internet Explorer is used, allows remote attackers to bypass the cross-domain policy via a crafted web site.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Adobe AIR: 3.1.0.485 - 3.1.0.488

CPE2.3

• cpe:2.3:a:adobe:adobe_air:3.1.0.485:*:*:*:*:*:*:*
• cpe:2.3:a:adobe:adobe_air:3.1.0.488:*:*:*:*:*:*:*

External links

https://lists.opensuse.org/opensuse-security-announce/2011-11/msg00014.html
https://lists.opensuse.org/opensuse-security-announce/2011-11/msg00017.html
https://lists.opensuse.org/opensuse-security-announce/2011-11/msg00019.html
https://secunia.com/advisories/48819
https://security.gentoo.org/glsa/glsa-201204-07.xml
https://www.adobe.com/support/security/bulletins/apsb11-28.html
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14014
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A16179

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.