Facebook Google Plus Twitter LinkedIn YouTube RSS 功能表 搜尋 Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Adobe AIR < 22.0.0.153 RCE (APSB16-23)

High

Synopsis

The remote host is running an outdated version of Adobe AIR that is affected by a Remote Code Execution (RCE) attack vector.

Description

Versions of Adobe AIR prior to 22.0.0.153 are affected by a flaw that is triggered when loading certain dynamic-link libraries.The program uses an insecure path to look for specific files or libraries that includes the current working directory, which may not be trusted or under user control.By placing a specially crafted library in the path and tricking a user into opening a file e.g. located on a remote WebDAV share, a context-dependent attacker can inject and execute arbitrary code with the privilege of the user running the program.

解決方案

Upgrade to Adobe AIR 22.0.0.153 or later.