[funsec] Yet Another Emerging Web 2.0 Security Threat: Adobe Integrated Runtime (AIR)

Richard M. Smith rms at computerbytesman.com
Mon Feb 25 12:57:15 CST 2008


Thanks for the link, but the OWASP table seems to be comparing apples and
oranges.  Some of the technologies run inside of Web pages (Java and Flash),
while other technologies run standalone applications (eg, JFX and AIR).  I
think the security implications of standalone applications that have local
file system access are pretty well understood. ;-)

 

Richard

 

From: Andre Ludwig [mailto:andre.ludwig at gmail.com] 
Sent: Monday, February 25, 2008 1:41 PM
To: Richard M. Smith
Cc: funsec at linuxbox.org
Subject: Re: [funsec] Yet Another Emerging Web 2.0 Security Threat: Adobe
Integrated Runtime (AIR)

 

http://www.owasp.org/index.php/RIA_Security_Smackdown

Andre

On Mon, Feb 25, 2008 at 1:13 PM, Richard M. Smith <rms at computerbytesman.com>
wrote:

I'm still confused here.  Given that AIR applications are downloaded and
executed on a desktop and not inside of browser, why do they present any new
and different security risks compared to regular old .exe files?  (One thing
I can think of is that Outlook and Outlook Express probably won't
automatically delete attached AIR files.  OTOH, Outlook and Outlook Express
already fail to protect me from malicious Python and Perl script file
attachments.)

BTW, the AIR engine sounds just like Microsoft's 10-year "HTML Appliction"
(AKA .HTA) technology:

 Adobe melds desktop, Web apps with AIR

 http://www.infoworld.com/article/08/02/24/adobe-air_1.html

 "Applications using AIR can be written using the same technologies
 commonly used to build Web applications, including Adobe Flex and
 Flash, HTML, and JavaScript."

 Vs.

 Introduction to HTML Applications (HTAs)
 http://msdn2.microsoft.com/en-us/library/ms536496(VS.85).aspx
<http://msdn2.microsoft.com/en-us/library/ms536496%28VS.85%29.aspx> 

 With HTAs, Dynamic HTML (DHTML) with script can be added to that list.
 HTAs not only support everything a Web page does-namely HTML, Cascading
 Style Sheets (CSS), scripting languages, and behaviors-but also
HTA-specific
 functionality. This added functionality provides control over user
 interface design and access to the client system.


Richard

-----Original Message-----
From: funsec-bounces at linuxbox.org [mailto:funsec-bounces at linuxbox.org] On
Behalf Of Paul Ferguson

Sent: Monday, February 25, 2008 1:19 AM
To: propolice at gmail.com
Cc: funsec at linuxbox.org
Subject: Re: [funsec] Yet Another Emerging Web 2.0 Security Threat: Adobe
Integ rated Runtime (AIR)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- -- "Eduardo Tongson" <propolice at gmail.com> wrote:

>You don't run AIR inside a browser. This is similar to Flash
>applications compiled to exe. Basically you can program desktop
>applications using Flash, JS etc. A sample application/game developed
>in AIR I looked at [1].
>
>[1] <http://blog.eonsec.com/2008/02/tongits-is-in-air.html>
>

- From the description the InfoWorld article of the AIR application
developed & used by NASDAQ:

http://www.infoworld.com/article/08/02/24/adobe-air_1.html

...it sounds very much like a "widget" -type of application,
pulling content from a third-party location.

If this is true, then I see a wide adoption of this (as we already
see with widgets on social networking sites, etc.), as well as
wide-spread possibility for exploitation.

- - ferg

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.6.3 (Build 3017)

wj8DBQFHwl3Lq1pz9mNUZTMRAr/5AJ4iJf6bwko2mwweUfAmsfhd1Ef8IACgheR0
fITbFeyAQAYxhxovZw+VfFo=
=rprJ
-----END PGP SIGNATURE-----


--
"Fergie", a.k.a. Paul Ferguson
 Engineering Architecture for the Internet
 fergdawg(at)netzero.net
 ferg's tech blog: http://fergdawg.blogspot.com/


_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://linuxbox.org/pipermail/funsec/attachments/20080225/ea78f674/attachment-0001.htm 


More information about the funsec mailing list