Archive for December, 2008

So much for Internet Security

Why do I get the feeling that if Microsoft pulled with Silverlight what Adobe has with AIR, that there would be riots in the streets. I’m referring specifically to the fact that (from what I can tell) they bundle the AIR installer in with Flash (so everyone on the internet can install it nice and easy with a single click), this then allows AIR applications to be installed that have UNRESTRICTED access to your hard drive. Now I guess these two things in isolation aren’t really an issue. I guess it’s no different to you downloading an application and installing it onto your machine. And at least they are up front about the impact (although I doubt anyone could make an informed decision based on the following):

image

Also something bugs me about the technology, and I admit I know next to nothing about how it works, but one thing I’m aware of is that it uses JavaScript as a programming language. Ok, fair enough, a language is just a language and really means nothing about a system’s security. Except that it’s used quite often to run dynamic script, downloaded (or generated) on the fly from a server or user’s input. This leads to bugs, that result in Script Injection, XSS and the like. In a normal browser sandbox setting, a Script injection is bad for the guys who wrote the app (and sometimes inconvenient for the users). But when a JavaScript app has UNRESTRICTED access to your system. That bothers me somewhat.

Are my concerns unfounded? Is it impossible or even made difficult for AIR developers to stuff up these kinds of scenarios? I’d love to be proven wrong.

Leave a comment