Wednesday, October 3, 2007

Could Adobe be vulnerable to an AIR attack?

Adobe Systems Inc.'s moves to support rich Internet applications are exposing the software vendor -- and its developers and users -- to the threat of more Web-based malware and efforts to take advantage of security holes in its products.

"It's annoying to Adobe that suddenly they have become a target" for malicious hackers, said Chris Swenson, an analyst at NPD Group Inc. in Port Washington, N.Y.

For instance, a British security researcher claimed last month that an unpatched vulnerability in Adobe's Portable Document Format (PDF) technology could be exploited to take control of systems running Windows XP; at the time, Adobe said it was researching the reported flaw. And in January, Adobe issued a patch to fix a vulnerability in its PDF-based Adobe Reader and Acrobat software that made systems vulnerable to cross-site scripting attacks.

And then there are all the potential vulnerabilities lurking in Adobe's newer, less mature technologies, such as its still-in-beta Adobe Integrated Runtime (AIR) software.

The AIR framework enables Web applications built with HTML or Asynchronous JavaScript and XML (AJAX) to run offline. The problem, though, is that doing so exposes users of AIR-based applications to many of the same security issues that other users face, if not more of them, according to Ron Schmelzer, an analyst at ZapThink LLC in Waltham, Mass.

"The current generation of spyware, virus and malware [detection] products have no visibility into running AIR programs," Schmelzer wrote in an e-mail. "As such, there is a high possibility for malicious AIR applications -- which are no longer security-restricted to the browser sandbox and are free to manipulate local machines -- to spread into the wild."

John Landwehr, Adobe's director of security solutions and strategy, said at the company's Adobe MAX 2007 North America conference here that AIR applications are not only digitally signed to ensure authenticity, but also use security sandboxes to limit the ability of malware to take control of other applications on a compromised PC.

(ICTNEWS)

No comments: