[funsec] Yet Another Emerging Web 2.0 Security Threat: Adobe Integrated Runtime (AIR)
Richard M. Smith
rms at computerbytesman.com
Mon Feb 25 12:13:51 CST 2008
I'm still confused here. Given that AIR applications are downloaded and
executed on a desktop and not inside of browser, why do they present any new
and different security risks compared to regular old .exe files? (One thing
I can think of is that Outlook and Outlook Express probably won't
automatically delete attached AIR files. OTOH, Outlook and Outlook Express
already fail to protect me from malicious Python and Perl script file
BTW, the AIR engine sounds just like Microsoft's 10-year "HTML Appliction"
(AKA .HTA) technology:
Adobe melds desktop, Web apps with AIR
"Applications using AIR can be written using the same technologies
commonly used to build Web applications, including Adobe Flex and
Introduction to HTML Applications (HTAs)
With HTAs, Dynamic HTML (DHTML) with script can be added to that list.
HTAs not only support everything a Web page does-namely HTML, Cascading
Style Sheets (CSS), scripting languages, and behaviors-but also
functionality. This added functionality provides control over user
interface design and access to the client system.
From: funsec-bounces at linuxbox.org [mailto:funsec-bounces at linuxbox.org] On
Behalf Of Paul Ferguson
Sent: Monday, February 25, 2008 1:19 AM
To: propolice at gmail.com
Cc: funsec at linuxbox.org
Subject: Re: [funsec] Yet Another Emerging Web 2.0 Security Threat: Adobe
Integ rated Runtime (AIR)
-----BEGIN PGP SIGNED MESSAGE-----
- -- "Eduardo Tongson" <propolice at gmail.com> wrote:
>You don't run AIR inside a browser. This is similar to Flash
>applications compiled to exe. Basically you can program desktop
>applications using Flash, JS etc. A sample application/game developed
>in AIR I looked at .
- From the description the InfoWorld article of the AIR application
developed & used by NASDAQ:
...it sounds very much like a "widget" -type of application,
pulling content from a third-party location.
If this is true, then I see a wide adoption of this (as we already
see with widgets on social networking sites, etc.), as well as
wide-spread possibility for exploitation.
- - ferg
-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.6.3 (Build 3017)
-----END PGP SIGNATURE-----
"Fergie", a.k.a. Paul Ferguson
Engineering Architecture for the Internet
ferg's tech blog: http://fergdawg.blogspot.com/
Fun and Misc security discussion for OT posts.
Note: funsec is a public and open mailing list.
More information about the funsec