So much for Internet Security

Why do I get the feeling that if Microsoft pulled with Silverlight what Adobe has with AIR, that there would be riots in the streets. I’m referring specifically to the fact that (from what I can tell) they bundle the AIR installer in with Flash (so everyone on the internet can install it nice and easy with a single click), this then allows AIR applications to be installed that have UNRESTRICTED access to your hard drive. Now I guess these two things in isolation aren’t really an issue. I guess it’s no different to you downloading an application and installing it onto your machine. And at least they are up front about the impact (although I doubt anyone could make an informed decision based on the following):

image

Also something bugs me about the technology, and I admit I know next to nothing about how it works, but one thing I’m aware of is that it uses JavaScript as a programming language. Ok, fair enough, a language is just a language and really means nothing about a system’s security. Except that it’s used quite often to run dynamic script, downloaded (or generated) on the fly from a server or user’s input. This leads to bugs, that result in Script Injection, XSS and the like. In a normal browser sandbox setting, a Script injection is bad for the guys who wrote the app (and sometimes inconvenient for the users). But when a JavaScript app has UNRESTRICTED access to your system. That bothers me somewhat.

Are my concerns unfounded? Is it impossible or even made difficult for AIR developers to stuff up these kinds of scenarios? I’d love to be proven wrong.

Advertisements
  1. Leave a comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: