Comments on: Apollo engine – High Security Exploit

By: Adobe AIR 2.0 é uma run-time madura para desenvolvimento comercial? | Igor Costa

Fri, 05 Feb 2010 20:03:28 +0000

[...] com MD5. Agora a coisa muda de esfera e passa a ter um run-time mais maduro. Já que antes, nesse post que fiz em inglês, era muito fácil disseminar vírus pelo AIR. Essa falha grave foi logo [...]

By: Igor Costa

Igor Costa — Thu, 31 May 2007 18:13:57 +0000

I agree with George and John too

The alert problem is that exactly what John point if Adobe Apollo team release a certification for it, Much better for any end users who will be able to use the application without problem.

Because like stay today it’s very dificult to convicent people from organizations to adopt Apollo without a certification that it’s safety and security.

John if this release that would be very great, for any developer and company development.

By: John Dowdell

John Dowdell — Thu, 31 May 2007 17:07:27 +0000

I agree with George (although I wish I knew his last name ;-) .

Apollo applications are real applications. Besides the installation process, they can read and write your local file system. You have to trust the creators of any application you install.

Web browsers are great, because you can safely visit any site in the world (assuming you’re up-to-date and are not in the typical zero-day exploit profile).

Apollo-based applications are applications, and it is folly to casually install applications from strangers.

Use the browser to surf to strangers — install applications only from those you trust, and whose reputation backs up your commitment.

Good…?

jd/adobe

PS: There’s some signing abilities coming into future builds, so that you can confirm identity, but I’m not certain if this would preclude alteration of the file after it has been signed. Regardless, these applications still have read/write permission on your drive, so you’d need to trust them in the first place anyway.

By: Paulius Uza

Paulius Uza — Thu, 31 May 2007 11:34:52 +0000

Not so.

While you can embed any virus in executable application format inside .air archive it does not slip through antivirus software, because antivirus software usually checks all new files that are being written to disk, and to run an embeded virus you would have to unzip it first, so it would be caught. The only way to make this code really malicious is to code the virus in AS3.

By: sinatosk

sinatosk — Thu, 31 May 2007 09:23:13 +0000

…and you can package files during compilation… how is this an exploit???

By: Sven

Sven — Thu, 31 May 2007 07:21:59 +0000

This is certainly a risk, but isn’t it a risk for desktop applications in general, that you download from the internet and isn’t this the reason why people should use antivirus software?

By: George

George — Thu, 31 May 2007 06:57:01 +0000

An Apollo application is just like any other executable application in the sense that merely running it is dangerous. You would not run random executables from an untrusted source, so do not run Apollo applications from untrusted sources either.

Adobe takes an extra step to warn you. When you run a .air file it says “Installing applications may present a security risk to you and your computer. Install only from sources that you trust.” and “This application may access your file system and the internet, which may put your computer at risk.”

Seems like perfectly adequate measures have been taken. But yes, you are right in saying that Apollo applications can steal information (as well as damage/destroy it). Windows users should never open files from untrusted sources, even with seemingly save extensions.