funsec mailing list archives
Re: Yet Another Emerging Web 2.0 Security Threat: Adobe Integrated Runtime (AIR)
From: "Andre Ludwig" <andre.ludwig () gmail com>
Date: Mon, 25 Feb 2008 14:32:57 -0500
True it is a bit of apples and oranges but much of the same functionality exists in all the platforms, some carry a bit more risk based on their security models (or lack there of). It should be noted that the link i sent to the list is a bit dated (it was done back in August of 07), so I am sure as these frameworks have progressed there have been subtle (or major) shifts in their security architecture. Andre Ludwig On Mon, Feb 25, 2008 at 1:57 PM, Richard M. Smith <rms () computerbytesman com> wrote:
Thanks for the link, but the OWASP table seems to be comparing apples and oranges. Some of the technologies run inside of Web pages (Java and Flash), while other technologies run standalone applications (eg, JFX and AIR). I think the security implications of standalone applications that have local file system access are pretty well understood. ;-) Richard *From:* Andre Ludwig [mailto:andre.ludwig () gmail com] *Sent:* Monday, February 25, 2008 1:41 PM *To:* Richard M. Smith *Cc:* funsec () linuxbox org *Subject:* Re: [funsec] Yet Another Emerging Web 2.0 Security Threat: Adobe Integrated Runtime (AIR) http://www.owasp.org/index.php/RIA_Security_Smackdown Andre On Mon, Feb 25, 2008 at 1:13 PM, Richard M. Smith < rms () computerbytesman com> wrote: I'm still confused here. Given that AIR applications are downloaded and executed on a desktop and not inside of browser, why do they present any new and different security risks compared to regular old .exe files? (One thing I can think of is that Outlook and Outlook Express probably won't automatically delete attached AIR files. OTOH, Outlook and Outlook Express already fail to protect me from malicious Python and Perl script file attachments.) BTW, the AIR engine sounds just like Microsoft's 10-year "HTML Appliction" (AKA .HTA) technology: Adobe melds desktop, Web apps with AIR http://www.infoworld.com/article/08/02/24/adobe-air_1.html "Applications using AIR can be written using the same technologies commonly used to build Web applications, including Adobe Flex and Flash, HTML, and JavaScript." Vs. Introduction to HTML Applications (HTAs) http://msdn2.microsoft.com/en-us/library/ms536496(VS.85).aspx<http://msdn2.microsoft.com/en-us/library/ms536496%28VS.85%29.aspx> With HTAs, Dynamic HTML (DHTML) with script can be added to that list. HTAs not only support everything a Web page does-namely HTML, Cascading Style Sheets (CSS), scripting languages, and behaviors-but also HTA-specific functionality. This added functionality provides control over user interface design and access to the client system. Richard -----Original Message----- From: funsec-bounces () linuxbox org [mailto:funsec-bounces () linuxbox org] On Behalf Of Paul Ferguson Sent: Monday, February 25, 2008 1:19 AM To: propolice () gmail com Cc: funsec () linuxbox org Subject: Re: [funsec] Yet Another Emerging Web 2.0 Security Threat: Adobe Integ rated Runtime (AIR) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -- "Eduardo Tongson" <propolice () gmail com> wrote:You don't run AIR inside a browser. This is similar to Flash applications compiled to exe. Basically you can program desktop applications using Flash, JS etc. A sample application/game developed in AIR I looked at [1]. [1] <http://blog.eonsec.com/2008/02/tongits-is-in-air.html>- From the description the InfoWorld article of the AIR application developed & used by NASDAQ: http://www.infoworld.com/article/08/02/24/adobe-air_1.html ...it sounds very much like a "widget" -type of application, pulling content from a third-party location. If this is true, then I see a wide adoption of this (as we already see with widgets on social networking sites, etc.), as well as wide-spread possibility for exploitation. - - ferg -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.3 (Build 3017) wj8DBQFHwl3Lq1pz9mNUZTMRAr/5AJ4iJf6bwko2mwweUfAmsfhd1Ef8IACgheR0 fITbFeyAQAYxhxovZw+VfFo= =rprJ -----END PGP SIGNATURE----- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/ _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list. _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list. _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
_______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Re: Yet Another Emerging Web 2.0 Security Threat: Adobe Integ rated Runtime (AIR) Paul Ferguson (Feb 24)
- Re: Yet Another Emerging Web 2.0 Security Threat: Adobe Integ rated Runtime (AIR) Eduardo Tongson (Feb 24)
- Re: Yet Another Emerging Web 2.0 Security Threat: Adobe Integrated Runtime (AIR) Richard M. Smith (Feb 25)
- Re: Yet Another Emerging Web 2.0 Security Threat: Adobe Integrated Runtime (AIR) Andre Ludwig (Feb 25)
- Re: Yet Another Emerging Web 2.0 Security Threat: Adobe Integrated Runtime (AIR) Richard M. Smith (Feb 25)
- Re: Yet Another Emerging Web 2.0 Security Threat: Adobe Integrated Runtime (AIR) Andre Ludwig (Feb 25)
- Re: Yet Another Emerging Web 2.0 Security Threat: Adobe Integrated Runtime (AIR) Andre Ludwig (Feb 25)
- <Possible follow-ups>
- Re: Yet Another Emerging Web 2.0 Security Threat: Adobe Integ rated Runtime (AIR) Paul Ferguson (Feb 25)
- Re: Yet Another Emerging Web 2.0 Security Threat: Adobe Integ rated Runtime (AIR) Richard M. Smith (Feb 25)