funsec mailing list archives

Re: Yet Another Emerging Web 2.0 Security Threat: Adobe Integrated Runtime (AIR)

From: fukami <fukami () sektioneins de>
Date: Tue, 26 Feb 2008 10:32:38 +0100

On 25.02.2008, at 06:37, Paul Ferguson wrote:

I can't wait until NoScript integrates blocking for it...  :-)



I doubt it will happen soon. For this to work Giorgio needs
integrate NoScript into Webkit :)


On 25.02.2008, at 20:54, Richard M. Smith wrote:

I just don't see the big deal here.  Developers can create insecure
applications in most any programming language.  Why pick on AIR?



I have been able to exploit a custom AIR app with a simple XSS at
Basecamp in order manipulate data on hosts running this app with
the AIR beta.

Adobe changed the way how AIR handles remote JS, so I personally
didn't find a quick way to circumvent it. Remote JS obviously run
in a different sandbox so it cannot execute AIR API functions.
But I haven't look into sandbox bridging by now.


kthnxbye,
     fukami


_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.

Current thread:

Yet Another Emerging Web 2.0 Security Threat: Adobe Integrated Runtime (AIR) Paul Ferguson (Feb 24)
- Re: Yet Another Emerging Web 2.0 Security Threat: Adobe Integrated Runtime (AIR) Eduardo Tongson (Feb 24)
- Re: Yet Another Emerging Web 2.0 Security Threat: Adobe Integrated Runtime (AIR) security curmudgeon (Feb 24)
- Re: Yet Another Emerging Web 2.0 Security Threat: Adobe Integrated Runtime (AIR) Richard M. Smith (Feb 25)
- Re: Yet Another Emerging Web 2.0 Security Threat: Adobe Integrated Runtime (AIR) fukami (Feb 26)
  - Re: Yet Another Emerging Web 2.0 Security Threat: Adobe Integrated Runtime (AIR) Richard M. Smith (Feb 26)