Re: Yet Another Emerging Web 2.0 Security Threat: Adobe Integrated Runtime (AIR)

["Andre Ludwig" <andre.ludwig () gmail com>]

http://www.owasp.org/index.php/RIA_Security_Smackdown

Andre

On Mon, Feb 25, 2008 at 1:13 PM, Richard M. Smith <rms () computerbytesman com>
wrote:

> I'm still confused here.  Given that AIR applications are downloaded and
> executed on a desktop and not inside of browser, why do they present any
> new
> and different security risks compared to regular old .exe files?  (One
> thing
> I can think of is that Outlook and Outlook Express probably won't
> automatically delete attached AIR files.  OTOH, Outlook and Outlook
> Express
> already fail to protect me from malicious Python and Perl script file
> attachments.)
>
> BTW, the AIR engine sounds just like Microsoft's 10-year "HTML Appliction"
> (AKA .HTA) technology:
>
>  Adobe melds desktop, Web apps with AIR
>   http://www.infoworld.com/article/08/02/24/adobe-air_1.html
>
>   "Applications using AIR can be written using the same technologies
>  commonly used to build Web applications, including Adobe Flex and
>  Flash, HTML, and JavaScript."
>
>   Vs.
>
>  Introduction to HTML Applications (HTAs)
>  
> http://msdn2.microsoft.com/en-us/library/ms536496(VS.85).aspx<http://msdn2.microsoft.com/en-us/library/ms536496%28VS.85%29.aspx>
>
>  With HTAs, Dynamic HTML (DHTML) with script can be added to that list.
>  HTAs not only support everything a Web page does-namely HTML, Cascading
>  Style Sheets (CSS), scripting languages, and behaviors-but also
> HTA-specific
>  functionality. This added functionality provides control over user
>  interface design and access to the client system.
>
> Richard
>
> -----Original Message-----
> From: funsec-bounces () linuxbox org [mailto:funsec-bounces () linuxbox org] On
> Behalf Of Paul Ferguson
> Sent: Monday, February 25, 2008 1:19 AM
> To: propolice () gmail com
> Cc: funsec () linuxbox org
> Subject: Re: [funsec] Yet Another Emerging Web 2.0 Security Threat: Adobe
> Integ rated Runtime (AIR)
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> - -- "Eduardo Tongson" <propolice () gmail com> wrote:
>
> > You don't run AIR inside a browser. This is similar to Flash
> > applications compiled to exe. Basically you can program desktop
> > applications using Flash, JS etc. A sample application/game developed
> > in AIR I looked at [1].
> >
> > [1] <http://blog.eonsec.com/2008/02/tongits-is-in-air.html>
>
> - From the description the InfoWorld article of the AIR application
> developed & used by NASDAQ:
>
> http://www.infoworld.com/article/08/02/24/adobe-air_1.html
>
> ...it sounds very much like a "widget" -type of application,
> pulling content from a third-party location.
>
> If this is true, then I see a wide adoption of this (as we already
> see with widgets on social networking sites, etc.), as well as
> wide-spread possibility for exploitation.
>
> - - ferg
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGP Desktop 9.6.3 (Build 3017)
>
> wj8DBQFHwl3Lq1pz9mNUZTMRAr/5AJ4iJf6bwko2mwweUfAmsfhd1Ef8IACgheR0
> fITbFeyAQAYxhxovZw+VfFo=
> =rprJ
> -----END PGP SIGNATURE-----
>
>
> --
> "Fergie", a.k.a. Paul Ferguson
>  Engineering Architecture for the Internet
>  fergdawg(at)netzero.net
>  ferg's tech blog: http://fergdawg.blogspot.com/
>
>
> _______________________________________________
> Fun and Misc security discussion for OT posts.
> https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
> Note: funsec is a public and open mailing list.
>
> _______________________________________________
> Fun and Misc security discussion for OT posts.
> https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
> Note: funsec is a public and open mailing list.
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.