Today, Adobe officially launched their new infrastructure for delivering rich Internet applications to your desktop- Adobe Integrated Runtime, or "AIR" for short. At first glance, Adobe AIR looks like a mash up of many of the existing Web and Adobe technologies such as HTML, AJAX, ActionScript, Flash, and Flex. By combining rich media and user interface features, and leveraging the existing expertise in these technologies, Adobe hopes to bring highly interactive and engaging Web applications to the desktop.

Technologies provided by Adobe, such as Flash, enable a multimedia developer to easily create fantastic-looking and engaging applications and deploy them across various platforms by operating within a browser environment. Adobe AIR takes it a step further by liberating these technologies and placing them within their own desktop-based environment in a similar fashion to Java or .NET. Using this approach, it can achieve a number of aims:

• Impose its own security restrictions upon the applications that operate within it.

• Offer rich and highly engaging content by using existing technologies.

• Package Web technologies within a desktop operating environment, with or without the browser.

• Operating system independence.

AIR offers a powerful set of APIs that enables an application to access parts of the host computer. For example AIR allows you to write and manipulate files on the file system. When you combine its file system capabilities with the ability to make remote networking requests to download content you can quite easily see the potential for danger. For example, it is quite possible for somebody to write a malicious application to run in Adobe AIR, downloading code remotely or engaging in other nefarious activities, such as denial of service attacks or stealing information.

Given the power available in AIR to enable potential misuse, Adobe has taken steps to address such security implications. AIR applications may employ a number of sandboxes in which to operate, like a trusted and untrusted zones. Application code running in the trusted zone will have full and direct access to the AIR APIs, while untrusted content will not. Of course people will inevitably find ways around this and malware creators will no doubt attempt to exploit them.

Another aspect of the Adobe AIR security model is the concept of application signing. While this can help to provide some security it does not really go far enough to prevent many of the security issues that we see today. According to Adobe, self-signed applications will be flagged prominently before the application is installed. The problem with this type of security is that many end users often don't really care or know enough about security issues to take heed of the warnings. In many cases, the user is the weakest link, susceptible to con tricks and social engineering. Often users are easily tempted by social engineering tricks such as the latest news, sex, drugs, etc. and end up running something even if they are not sure who created the application.

The introduction of Adobe AIR has no doubt opened up a new wave of possibilities for the development of exciting and engaging network-aware desktop applications. But with its powerful capabilities and reliance on one of the weakest forms of security (i.e. the average computer user), if AIR becomes ubiquitous we can surely expect to see malicious code authors targeting it.