Apollo still doesn’t get me “real world”, uses before the final release. Today I figure out that Apollo .air file are too much easy to exploit itself and can really relay the user’s machine privacy’s data.
The .air file isn’t nothing more than an .zip file wich someone can put extra virus code into it and then the Apollo Engine extract it self to the user’s machine.
See the Simulation here .
This is very ISSUE security in my concern, Adobe must need to improve the security of Apollo engine before release the final version if they want user’s adoptions.
BE CAREFUL : Just download next Apollo Application if you know the provider or double check the .air file using some .zip extractor. Maybe someone will stole information from you.
Twitter Updates
6 Comments
An Apollo application is just like any other executable application in the sense that merely running it is dangerous. You would not run random executables from an untrusted source, so do not run Apollo applications from untrusted sources either.
Adobe takes an extra step to warn you. When you run a .air file it says “Installing applications may present a security risk to you and your computer. Install only from sources that you trust.” and “This application may access your file system and the internet, which may put your computer at risk.”
Seems like perfectly adequate measures have been taken. But yes, you are right in saying that Apollo applications can steal information (as well as damage/destroy it). Windows users should never open files from untrusted sources, even with seemingly save extensions.
This is certainly a risk, but isn’t it a risk for desktop applications in general, that you download from the internet and isn’t this the reason why people should use antivirus software?
…and you can package files during compilation… how is this an exploit???
Not so.
While you can embed any virus in executable application format inside .air archive it does not slip through antivirus software, because antivirus software usually checks all new files that are being written to disk, and to run an embeded virus you would have to unzip it first, so it would be caught. The only way to make this code really malicious is to code the virus in AS3.
I agree with George (although I wish I knew his last name ;-) .
Apollo applications are real applications. Besides the installation process, they can read and write your local file system. You have to trust the creators of any application you install.
Web browsers are great, because you can safely visit any site in the world (assuming you’re up-to-date and are not in the typical zero-day exploit profile).
Apollo-based applications are applications, and it is folly to casually install applications from strangers.
Use the browser to surf to strangers — install applications only from those you trust, and whose reputation backs up your commitment.
Good…?
jd/adobe
PS: There’s some signing abilities coming into future builds, so that you can confirm identity, but I’m not certain if this would preclude alteration of the file after it has been signed. Regardless, these applications still have read/write permission on your drive, so you’d need to trust them in the first place anyway.
I agree with George and John too
The alert problem is that exactly what John point if Adobe Apollo team release a certification for it, Much better for any end users who will be able to use the application without problem.
Because like stay today it’s very dificult to convicent people from organizations to adopt Apollo without a certification that it’s safety and security.
John if this release that would be very great, for any developer and company development.
One Trackback
[...] com MD5. Agora a coisa muda de esfera e passa a ter um run-time mais maduro. Já que antes, nesse post que fiz em inglês, era muito fácil disseminar vírus pelo AIR. Essa falha grave foi logo [...]