Is Adobe vulnerable to an AIR attack?

Adobe Systems' moves to support RIAs (rich Internet applications) are exposing the software vendor -- and its developers and users -- to the threat of more Web-based malware and efforts to take advantage of security holes in its products.

"It's annoying to Adobe that suddenly they have become a target" for malicious hackers, said Chris Swenson, an analyst at NPD Group in Port Washington, N.Y.

For instance, a British security researcher claimed last month that an unpatched vulnerability in Adobe's Portable Document Format (PDF) technology could be exploited to take control of systems running Windows XP; at the time, Adobe said it was researching the reported flaw. And in January, Adobe issued a patch to fix a vulnerability in its PDF-based Adobe Reader and Acrobat software that made systems vulnerable to cross-site scripting attacks.

And then there are all the potential vulnerabilities lurking in Adobe's newer, less mature technologies, such as its still-in-beta AIR (Adobe Integrated Runtime) software.

The AIR framework enables Web applications built with HTML or AJAX (Asynchronous JavaScript and XML) to run offline. The problem, though, is that doing so exposes users of AIR-based applications to many of the same security issues that other users face, if not more of them, according to Ron Schmelzer, an analyst at ZapThink in Waltham, Mass.

"The current generation of spyware, virus, and malware [detection] products have no visibility into running AIR programs," Schmelzer wrote in an e-mail. "As such, there is a high possibility for malicious AIR applications -- which are no longer security-restricted to the browser sandbox and are free to manipulate local machines -- to spread into the wild."

John Landwehr, Adobe's director of security solutions and strategy, said at the company's Adobe MAX 2007 North America conference here that AIR applications are not only digitally signed to ensure authenticity, but also use security sandboxes to limit the ability of malware to take control of other applications on a compromised PC.

But that creates its own obstacles. "AIR has been a challenge to do security for," said Bill Manning, senior product manager at San Mateo, Calif.-based Aptana, which makes an open source development tool that supports AIR. "Because of the two sandboxes, there are two security models. It's a new method for developers to get used to. And the weight of security is on their shoulders."

Luke Adamski, a platform security strategist at Adobe, asserted that runtime environments such as AIR "are inherently a little safer" than simple Web sites based on AJAX or HTML are. But he agreed that AIR "can only do so much" on its own from a security standpoint.

In his e-mail, Schmelzer contended that "to protect the value of AIR and prevent a potentially fatal blow to the emerging technology," Adobe needs to partner with the major vendors of anti-virus tools "to provide AIR-specific threat prevention and malware scanning."