funsec mailing list archives
Re: Yet Another Emerging Web 2.0 Security Threat: Adobe Integrated Runtime (AIR)
From: "Richard M. Smith" <rms () computerbytesman com>
Date: Tue, 26 Feb 2008 09:21:14 -0500
In your test case, how would an external attacker supply the XSS code to an insecure AIR application? Would they have to be at the keyboard or is there another way in? Have you also looked at how Outlook and Outlook Express deal with attached AIR files? I'm wondering how likely it will be that we see email malware that is distributed as attached AIR files. Richard -----Original Message----- From: funsec-bounces () linuxbox org [mailto:funsec-bounces () linuxbox org] On Behalf Of fukami Sent: Tuesday, February 26, 2008 4:33 AM To: funsec () linuxbox org Subject: Re: [funsec] Yet Another Emerging Web 2.0 Security Threat: Adobe Integrated Runtime (AIR) On 25.02.2008, at 06:37, Paul Ferguson wrote:
I can't wait until NoScript integrates blocking for it... :-)
I doubt it will happen soon. For this to work Giorgio needs integrate NoScript into Webkit :) On 25.02.2008, at 20:54, Richard M. Smith wrote:
I just don't see the big deal here. Developers can create insecure applications in most any programming language. Why pick on AIR?
I have been able to exploit a custom AIR app with a simple XSS at Basecamp in order manipulate data on hosts running this app with the AIR beta. Adobe changed the way how AIR handles remote JS, so I personally didn't find a quick way to circumvent it. Remote JS obviously run in a different sandbox so it cannot execute AIR API functions. But I haven't look into sandbox bridging by now. kthnxbye, fukami _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list. _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Yet Another Emerging Web 2.0 Security Threat: Adobe Integrated Runtime (AIR) Paul Ferguson (Feb 24)
- Re: Yet Another Emerging Web 2.0 Security Threat: Adobe Integrated Runtime (AIR) Eduardo Tongson (Feb 24)
- Re: Yet Another Emerging Web 2.0 Security Threat: Adobe Integrated Runtime (AIR) security curmudgeon (Feb 24)
- Re: Yet Another Emerging Web 2.0 Security Threat: Adobe Integrated Runtime (AIR) Richard M. Smith (Feb 25)
- Re: Yet Another Emerging Web 2.0 Security Threat: Adobe Integrated Runtime (AIR) fukami (Feb 26)
- Re: Yet Another Emerging Web 2.0 Security Threat: Adobe Integrated Runtime (AIR) Richard M. Smith (Feb 26)