[funsec] Yet Another Emerging Web 2.0 Security Threat: Adobe Integrated Runtime (AIR)

Richard M. Smith rms at computerbytesman.com
Mon Feb 25 12:13:51 CST 2008

I'm still confused here.  Given that AIR applications are downloaded and
executed on a desktop and not inside of browser, why do they present any new
and different security risks compared to regular old .exe files?  (One thing
I can think of is that Outlook and Outlook Express probably won't
automatically delete attached AIR files.  OTOH, Outlook and Outlook Express
already fail to protect me from malicious Python and Perl script file

BTW, the AIR engine sounds just like Microsoft's 10-year "HTML Appliction"
(AKA .HTA) technology:

  Adobe melds desktop, Web apps with AIR

  "Applications using AIR can be written using the same technologies 
  commonly used to build Web applications, including Adobe Flex and 
  Flash, HTML, and JavaScript."


  Introduction to HTML Applications (HTAs)

  With HTAs, Dynamic HTML (DHTML) with script can be added to that list. 
  HTAs not only support everything a Web page does-namely HTML, Cascading 
  Style Sheets (CSS), scripting languages, and behaviors-but also
  functionality. This added functionality provides control over user 
  interface design and access to the client system.


-----Original Message-----
From: funsec-bounces at linuxbox.org [mailto:funsec-bounces at linuxbox.org] On
Behalf Of Paul Ferguson
Sent: Monday, February 25, 2008 1:19 AM
To: propolice at gmail.com
Cc: funsec at linuxbox.org
Subject: Re: [funsec] Yet Another Emerging Web 2.0 Security Threat: Adobe
Integ rated Runtime (AIR)

Hash: SHA1

- -- "Eduardo Tongson" <propolice at gmail.com> wrote:

>You don't run AIR inside a browser. This is similar to Flash
>applications compiled to exe. Basically you can program desktop
>applications using Flash, JS etc. A sample application/game developed
>in AIR I looked at [1].
>[1] <http://blog.eonsec.com/2008/02/tongits-is-in-air.html>

- From the description the InfoWorld article of the AIR application
developed & used by NASDAQ:


...it sounds very much like a "widget" -type of application,
pulling content from a third-party location.

If this is true, then I see a wide adoption of this (as we already
see with widgets on social networking sites, etc.), as well as
wide-spread possibility for exploitation.

- - ferg

Version: PGP Desktop 9.6.3 (Build 3017)


"Fergie", a.k.a. Paul Ferguson
 Engineering Architecture for the Internet
 ferg's tech blog: http://fergdawg.blogspot.com/

Fun and Misc security discussion for OT posts.
Note: funsec is a public and open mailing list.

More information about the funsec mailing list