Re: Yet Another Emerging Web 2.0 Security Threat: AdobeInteg rated Runtime (AIR)

["Seborg, Brian H." <BSeborg () fdic gov>]

 Here's a more updated link on air security:
http://livedocs.adobe.com/air/1/devappshtml/help.html?content=security_1
.html
The one referenced below was still beta.

Brian :-)

-----Original Message-----
From: funsec-bounces () linuxbox org [mailto:funsec-bounces () linuxbox org]
On Behalf Of Richard M. Smith
Sent: Monday, February 25, 2008 2:54 PM
To: funsec () linuxbox org
Subject: Re: [funsec] Yet Another Emerging Web 2.0 Security Threat:
AdobeInteg rated Runtime (AIR)

I just don't see the big deal here.  Developers can create insecure
applications in most any programming language.  Why pick on AIR?

FWIW, here's Adobe AIR security write-up:

    http://download.macromedia.com/pub/labs/air/air_security.pdf   

The threat with AIR might be more indirect:  End-users will get
comfortable
about downloading and running desktop applications from strangers.  The
bad
guys will exploit this trust to distribute malware.

Richard

-----Original Message-----
From: Paul Ferguson [mailto:fergdawg () netzero net] 
Sent: Monday, February 25, 2008 2:21 PM
To: rms () computerbytesman com
Cc: funsec () linuxbox org
Subject: Re: [funsec] Yet Another Emerging Web 2.0 Security Threat:
Adobe
Integ rated Runtime (AIR)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- -- "Richard M. Smith" <rms () computerbytesman com> wrote:

> Thanks for the link, but the OWASP table seems to be comparing apples
and
> oranges.  Some of the technologies run inside of Web pages (Java and
> Flash), while other technologies run standalone applications (eg, JFX
and
> AIR).  I think the security implications of standalone applications
that
> have local file system access are pretty well understood. ;-)  

Maybe. Maybe not.

The real issue here is how these "applications" are implemented,
and how secure is their implementation.

It has already been exposed that earlier versions of AIR have
had serious bugs (file exclusion vulnerabilities, etc.) and this
may very well be yet another technology that exposes consumers to
unnecessarily to being exploited.

Ironically, the SAN ISC picked up on this, too:

http://isc.sans.org/diary.html?storyid=4019

- - ferg

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.6.3 (Build 3017)

wj8DBQFHwxURq1pz9mNUZTMRAgfhAKCHmxJGUJnPA7RRyDsJUXwm6ihx1QCgxMOP
8V4j5NM3U5XVp2XUUzgHz58=
=ql3k
-----END PGP SIGNATURE-----

--
"Fergie", a.k.a. Paul Ferguson
 Engineering Architecture for the Internet
 fergdawg(at)netzero.net
 ferg's tech blog: http://fergdawg.blogspot.com/


_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.