funsec mailing list archives
Re: Yet Another Emerging Web 2.0 Security Threat: Adobe Integ rated Runtime (AIR)
From: "Richard M. Smith" <rms () computerbytesman com>
Date: Mon, 25 Feb 2008 14:54:05 -0500
I just don't see the big deal here. Developers can create insecure applications in most any programming language. Why pick on AIR? FWIW, here's Adobe AIR security write-up: http://download.macromedia.com/pub/labs/air/air_security.pdf The threat with AIR might be more indirect: End-users will get comfortable about downloading and running desktop applications from strangers. The bad guys will exploit this trust to distribute malware. Richard -----Original Message----- From: Paul Ferguson [mailto:fergdawg () netzero net] Sent: Monday, February 25, 2008 2:21 PM To: rms () computerbytesman com Cc: funsec () linuxbox org Subject: Re: [funsec] Yet Another Emerging Web 2.0 Security Threat: Adobe Integ rated Runtime (AIR) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -- "Richard M. Smith" <rms () computerbytesman com> wrote:
Thanks for the link, but the OWASP table seems to be comparing apples and oranges. Some of the technologies run inside of Web pages (Java and Flash), while other technologies run standalone applications (eg, JFX and AIR). I think the security implications of standalone applications that have local file system access are pretty well understood. ;-)
Maybe. Maybe not. The real issue here is how these "applications" are implemented, and how secure is their implementation. It has already been exposed that earlier versions of AIR have had serious bugs (file exclusion vulnerabilities, etc.) and this may very well be yet another technology that exposes consumers to unnecessarily to being exploited. Ironically, the SAN ISC picked up on this, too: http://isc.sans.org/diary.html?storyid=4019 - - ferg -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.3 (Build 3017) wj8DBQFHwxURq1pz9mNUZTMRAgfhAKCHmxJGUJnPA7RRyDsJUXwm6ihx1QCgxMOP 8V4j5NM3U5XVp2XUUzgHz58= =ql3k -----END PGP SIGNATURE----- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/ _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Re: Yet Another Emerging Web 2.0 Security Threat: Adobe Integ rated Runtime (AIR) Paul Ferguson (Feb 24)
- Re: Yet Another Emerging Web 2.0 Security Threat: Adobe Integ rated Runtime (AIR) Eduardo Tongson (Feb 24)
- Re: Yet Another Emerging Web 2.0 Security Threat: Adobe Integrated Runtime (AIR) Richard M. Smith (Feb 25)
- Re: Yet Another Emerging Web 2.0 Security Threat: Adobe Integrated Runtime (AIR) Andre Ludwig (Feb 25)
- Re: Yet Another Emerging Web 2.0 Security Threat: Adobe Integrated Runtime (AIR) Richard M. Smith (Feb 25)
- Re: Yet Another Emerging Web 2.0 Security Threat: Adobe Integrated Runtime (AIR) Andre Ludwig (Feb 25)
- Re: Yet Another Emerging Web 2.0 Security Threat: Adobe Integrated Runtime (AIR) Andre Ludwig (Feb 25)
- <Possible follow-ups>
- Re: Yet Another Emerging Web 2.0 Security Threat: Adobe Integ rated Runtime (AIR) Paul Ferguson (Feb 25)
- Re: Yet Another Emerging Web 2.0 Security Threat: Adobe Integ rated Runtime (AIR) Richard M. Smith (Feb 25)