Re: Yet Another Emerging Web 2.0 Security Threat: Adobe Integrated Runtime (AIR)

["Richard M. Smith" <rms () computerbytesman com>]

In your test case, how would an external attacker supply the XSS code to an
insecure AIR application?  Would they have to be at the keyboard or is there
another way in?

Have you also looked at how Outlook and Outlook Express deal with attached
AIR files?  I'm wondering how likely it will be that we see email malware
that is distributed as attached AIR files.

Richard

-----Original Message-----
From: funsec-bounces () linuxbox org [mailto:funsec-bounces () linuxbox org] On
Behalf Of fukami
Sent: Tuesday, February 26, 2008 4:33 AM
To: funsec () linuxbox org
Subject: Re: [funsec] Yet Another Emerging Web 2.0 Security Threat: Adobe
Integrated Runtime (AIR)

On 25.02.2008, at 06:37, Paul Ferguson wrote:
> I can't wait until NoScript integrates blocking for it...  :-)


I doubt it will happen soon. For this to work Giorgio needs
integrate NoScript into Webkit :)


On 25.02.2008, at 20:54, Richard M. Smith wrote:
> I just don't see the big deal here.  Developers can create insecure
> applications in most any programming language.  Why pick on AIR?


I have been able to exploit a custom AIR app with a simple XSS at
Basecamp in order manipulate data on hosts running this app with
the AIR beta.

Adobe changed the way how AIR handles remote JS, so I personally
didn't find a quick way to circumvent it. Remote JS obviously run
in a different sandbox so it cannot execute AIR API functions.
But I haven't look into sandbox bridging by now.


kthnxbye,
     fukami


_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.