funsec mailing list archives
Re: Yet Another Emerging Web 2.0 Security Threat: Adobe Integrated Runtime (AIR)
From: fukami <fukami () sektioneins de>
Date: Tue, 26 Feb 2008 10:32:38 +0100
On 25.02.2008, at 06:37, Paul Ferguson wrote:
I can't wait until NoScript integrates blocking for it... :-)
I doubt it will happen soon. For this to work Giorgio needs integrate NoScript into Webkit :) On 25.02.2008, at 20:54, Richard M. Smith wrote:
I just don't see the big deal here. Developers can create insecure applications in most any programming language. Why pick on AIR?
I have been able to exploit a custom AIR app with a simple XSS at Basecamp in order manipulate data on hosts running this app with the AIR beta. Adobe changed the way how AIR handles remote JS, so I personally didn't find a quick way to circumvent it. Remote JS obviously run in a different sandbox so it cannot execute AIR API functions. But I haven't look into sandbox bridging by now. kthnxbye, fukami _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Yet Another Emerging Web 2.0 Security Threat: Adobe Integrated Runtime (AIR) Paul Ferguson (Feb 24)
- Re: Yet Another Emerging Web 2.0 Security Threat: Adobe Integrated Runtime (AIR) Eduardo Tongson (Feb 24)
- Re: Yet Another Emerging Web 2.0 Security Threat: Adobe Integrated Runtime (AIR) security curmudgeon (Feb 24)
- Re: Yet Another Emerging Web 2.0 Security Threat: Adobe Integrated Runtime (AIR) Richard M. Smith (Feb 25)
- Re: Yet Another Emerging Web 2.0 Security Threat: Adobe Integrated Runtime (AIR) fukami (Feb 26)
- Re: Yet Another Emerging Web 2.0 Security Threat: Adobe Integrated Runtime (AIR) Richard M. Smith (Feb 26)