http://www.owasp.org/index.php/RIA_Security_Smackdown
Andre On Mon, Feb 25, 2008 at 1:13 PM, Richard M. Smith <[EMAIL PROTECTED]> wrote: > I'm still confused here. Given that AIR applications are downloaded and > executed on a desktop and not inside of browser, why do they present any > new > and different security risks compared to regular old .exe files? (One > thing > I can think of is that Outlook and Outlook Express probably won't > automatically delete attached AIR files. OTOH, Outlook and Outlook > Express > already fail to protect me from malicious Python and Perl script file > attachments.) > > BTW, the AIR engine sounds just like Microsoft's 10-year "HTML Appliction" > (AKA .HTA) technology: > > Adobe melds desktop, Web apps with AIR > http://www.infoworld.com/article/08/02/24/adobe-air_1.html > > "Applications using AIR can be written using the same technologies > commonly used to build Web applications, including Adobe Flex and > Flash, HTML, and JavaScript." > > Vs. > > Introduction to HTML Applications (HTAs) > > http://msdn2.microsoft.com/en-us/library/ms536496(VS.85).aspx<http://msdn2.microsoft.com/en-us/library/ms536496%28VS.85%29.aspx> > > With HTAs, Dynamic HTML (DHTML) with script can be added to that list. > HTAs not only support everything a Web page does-namely HTML, Cascading > Style Sheets (CSS), scripting languages, and behaviors-but also > HTA-specific > functionality. This added functionality provides control over user > interface design and access to the client system. > > Richard > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of Paul Ferguson > Sent: Monday, February 25, 2008 1:19 AM > To: [EMAIL PROTECTED] > Cc: [email protected] > Subject: Re: [funsec] Yet Another Emerging Web 2.0 Security Threat: Adobe > Integ rated Runtime (AIR) > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > - -- "Eduardo Tongson" <[EMAIL PROTECTED]> wrote: > > >You don't run AIR inside a browser. This is similar to Flash > >applications compiled to exe. Basically you can program desktop > >applications using Flash, JS etc. A sample application/game developed > >in AIR I looked at [1]. > > > >[1] <http://blog.eonsec.com/2008/02/tongits-is-in-air.html> > > > > - From the description the InfoWorld article of the AIR application > developed & used by NASDAQ: > > http://www.infoworld.com/article/08/02/24/adobe-air_1.html > > ...it sounds very much like a "widget" -type of application, > pulling content from a third-party location. > > If this is true, then I see a wide adoption of this (as we already > see with widgets on social networking sites, etc.), as well as > wide-spread possibility for exploitation. > > - - ferg > > -----BEGIN PGP SIGNATURE----- > Version: PGP Desktop 9.6.3 (Build 3017) > > wj8DBQFHwl3Lq1pz9mNUZTMRAr/5AJ4iJf6bwko2mwweUfAmsfhd1Ef8IACgheR0 > fITbFeyAQAYxhxovZw+VfFo= > =rprJ > -----END PGP SIGNATURE----- > > > -- > "Fergie", a.k.a. Paul Ferguson > Engineering Architecture for the Internet > fergdawg(at)netzero.net > ferg's tech blog: http://fergdawg.blogspot.com/ > > > _______________________________________________ > Fun and Misc security discussion for OT posts. > https://linuxbox.org/cgi-bin/mailman/listinfo/funsec > Note: funsec is a public and open mailing list. > > _______________________________________________ > Fun and Misc security discussion for OT posts. > https://linuxbox.org/cgi-bin/mailman/listinfo/funsec > Note: funsec is a public and open mailing list. >
_______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
