True it is a bit of apples and oranges but much of the same functionality exists in all the platforms, some carry a bit more risk based on their security models (or lack there of).
It should be noted that the link i sent to the list is a bit dated (it was done back in August of 07), so I am sure as these frameworks have progressed there have been subtle (or major) shifts in their security architecture. Andre Ludwig On Mon, Feb 25, 2008 at 1:57 PM, Richard M. Smith <[EMAIL PROTECTED]> wrote: > Thanks for the link, but the OWASP table seems to be comparing apples and > oranges. Some of the technologies run inside of Web pages (Java and Flash), > while other technologies run standalone applications (eg, JFX and AIR). I > think the security implications of standalone applications that have local > file system access are pretty well understood. ;-) > > > > Richard > > > > *From:* Andre Ludwig [mailto:[EMAIL PROTECTED] > *Sent:* Monday, February 25, 2008 1:41 PM > *To:* Richard M. Smith > > *Cc:* [email protected] > *Subject:* Re: [funsec] Yet Another Emerging Web 2.0 Security Threat: > Adobe Integrated Runtime (AIR) > > > > http://www.owasp.org/index.php/RIA_Security_Smackdown > > Andre > > On Mon, Feb 25, 2008 at 1:13 PM, Richard M. Smith < > [EMAIL PROTECTED]> wrote: > > I'm still confused here. Given that AIR applications are downloaded and > executed on a desktop and not inside of browser, why do they present any > new > and different security risks compared to regular old .exe files? (One > thing > I can think of is that Outlook and Outlook Express probably won't > automatically delete attached AIR files. OTOH, Outlook and Outlook > Express > already fail to protect me from malicious Python and Perl script file > attachments.) > > BTW, the AIR engine sounds just like Microsoft's 10-year "HTML Appliction" > (AKA .HTA) technology: > > Adobe melds desktop, Web apps with AIR > > http://www.infoworld.com/article/08/02/24/adobe-air_1.html > > "Applications using AIR can be written using the same technologies > commonly used to build Web applications, including Adobe Flex and > Flash, HTML, and JavaScript." > > Vs. > > Introduction to HTML Applications (HTAs) > > http://msdn2.microsoft.com/en-us/library/ms536496(VS.85).aspx<http://msdn2.microsoft.com/en-us/library/ms536496%28VS.85%29.aspx> > > With HTAs, Dynamic HTML (DHTML) with script can be added to that list. > HTAs not only support everything a Web page does-namely HTML, Cascading > Style Sheets (CSS), scripting languages, and behaviors-but also > HTA-specific > functionality. This added functionality provides control over user > interface design and access to the client system. > > > Richard > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of Paul Ferguson > > Sent: Monday, February 25, 2008 1:19 AM > To: [EMAIL PROTECTED] > Cc: [email protected] > Subject: Re: [funsec] Yet Another Emerging Web 2.0 Security Threat: Adobe > Integ rated Runtime (AIR) > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > - -- "Eduardo Tongson" <[EMAIL PROTECTED]> wrote: > > >You don't run AIR inside a browser. This is similar to Flash > >applications compiled to exe. Basically you can program desktop > >applications using Flash, JS etc. A sample application/game developed > >in AIR I looked at [1]. > > > >[1] <http://blog.eonsec.com/2008/02/tongits-is-in-air.html> > > > > - From the description the InfoWorld article of the AIR application > developed & used by NASDAQ: > > http://www.infoworld.com/article/08/02/24/adobe-air_1.html > > ...it sounds very much like a "widget" -type of application, > pulling content from a third-party location. > > If this is true, then I see a wide adoption of this (as we already > see with widgets on social networking sites, etc.), as well as > wide-spread possibility for exploitation. > > - - ferg > > -----BEGIN PGP SIGNATURE----- > Version: PGP Desktop 9.6.3 (Build 3017) > > wj8DBQFHwl3Lq1pz9mNUZTMRAr/5AJ4iJf6bwko2mwweUfAmsfhd1Ef8IACgheR0 > fITbFeyAQAYxhxovZw+VfFo= > =rprJ > -----END PGP SIGNATURE----- > > > -- > "Fergie", a.k.a. Paul Ferguson > Engineering Architecture for the Internet > fergdawg(at)netzero.net > ferg's tech blog: http://fergdawg.blogspot.com/ > > > _______________________________________________ > Fun and Misc security discussion for OT posts. > https://linuxbox.org/cgi-bin/mailman/listinfo/funsec > Note: funsec is a public and open mailing list. > > _______________________________________________ > Fun and Misc security discussion for OT posts. > https://linuxbox.org/cgi-bin/mailman/listinfo/funsec > Note: funsec is a public and open mailing list. > > > > _______________________________________________ > Fun and Misc security discussion for OT posts. > https://linuxbox.org/cgi-bin/mailman/listinfo/funsec > Note: funsec is a public and open mailing list. >
_______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
