Adobe AIR and Security

Friday, April 4, 2008 by Mistlee

Can't see any images? - !

Download a Free Trial of Ektron CMS400.NET

Recent Articles

Two Interesting Startups - Tasktop And Protecode
Tasktop and Protecode are two interesting startups I ran into at EclipseCON 2008. They are very different businesses, aimed at very different audiences.

Make WordPress Faster
WordPress is a great blogging platform in part due to the active developer community creating plugins to extend the functionality of the basic application. If you're like me you've added quite a few. Over time all those...

Apple Developer Tools
I seem to recall a long time ago that when you installed Mac OS X you also got a bunch of cool Unix command line developer tools, including a C compiler...

Access Webmaster Tools From IGoogle
When you do something, do you follow a minimalist approach, or you like yourself to be prepared for every potential instance? Consider the instance where you want to hike out into the wilderness of Alaska and the...

Grails And Flex
Most of us know by now just how easy it is to write Flex applications backed by ColdFusion. Adobe have done a lot of work to ensure that integration with ColdFusion...

Tips, Tricks, And Plugins For WordPress
WordPress is an excellent blog platform which provides complete customization which is both user and search engine friendly. Below are some of the tips, tricks and plug-ins that I use when I setup WordPress blogs...

Click to Play

WebProNews Bloopers
Unfortunately we, here at WebProNews, aren’t perfect. Video production takes time, and as you can see from the video, a lot of re-takes and patience. We have fun...

Adobe AIR and Security

By Brajeshwar Oinam

I was reading an Adobe article about an upcoming security update for Flash Player in this month of April, 2008. The Flash Player security update provides further mitigations for issues listed in the December 2007 Security Bulletin ABSP07-20 for DNS rebinding and cross-domain policy file vulnerabilities, and Security Advisory APSA07-06 for cross-site scripting vulnerabilities in SWFs.

Well, the Adobe AIR shares technology with Flash Player and thus it is likely that Adobe AIR too will get an update with these fixes. This prompted me to do a rather lengthy article on a related topic — Adobe AIR and Security — which have been lingering in my to-do list for quite a while. Lengthy but this article will still fall short of all the details of AIR security as it is a big subject in itself.

What is affected? What should AIR developer care about?

From AIR perspective, this is a very minute update and is likely that most existing AIR applications will continue to work without requiring any change. Nonetheless, certain applications that may be affected which are subject to the same security restrictions in the updated Flash Player;

• SWF or HTML content loaded from outside of the application (for example, from a web URL or from a local directory)

• SWF content hosted within HTML in an AIR application

Download a Free Trial of Ektron CMS400.NET

If your AIR application is using affected content (non-application SWF/HTML; SWF in HTML) to do any of the following, consult Adobe's Flash Player 9 security update article;

• Use sockets or XMLSockets, regardless of the domain the SWF is connecting to

• Use addRequestHeader or URLRequest.requestHeaders in any network API call when sending or loading data cross-domain or Rely on cross-domain access to web services, where HTTP headers are used to interact with the service

• Uses SWFs that are exported for Flash Player 7 or below that communicate with the hosting HTML by any means

• Uses '"javascript:'" through network APIs to communicate outside a SWF

Installing/Upgrading the new AIR should just replace your current AIR version. The application descriptor does not require change. Any other Applications that do not rely on these types of content will not be affected by the security update. Specifically, all-SWF and all-HTML applications where all content files are loaded from the application's directory will remain unaffected. It may be noted that, the AIR runtime periodically checks to see if any updates are available. Once an updated version is detected, the AIR runtime will download it in the background and automatically install it.

Continue reading this article.

About the Author:
Brajeshwar is an ace digerati and an ardent believer of KISS (Keep It Simple Stupid), he envisions pushing the technical envelope time and again for the betterment of commercial and practical applications.
DevWebPro is brought to you by:

About DevWebPro
DevWebPro is for professional developers ... those who build and manage applications and sophisticated websites. With over 300,000 subscribers, DevWebPro delivers via news and expert advice New Strategies In Development.

-- DevWebPro is an iEntry, Inc. publication --
iEntry, Inc. 2549 Richmond Rd. Lexington KY, 40509
 © 2008 iEntry Inc.  All Rights Reserved   Privacy Policy   Legal 

archives | advertising info | news headlines | free newsletters | comments/feedback | submit article

Unsubscribe from DevWebPro.
To unsubscribe from DevWebPro or any other iEntry publication, simply send an email request to:
DevWebPro News Archives About Us Feedback DevWebPro Home Page About Article Archive News Downloads WebProWorld Forums Jayde iEntry Advertise Contact