When investigating the new Adobe Media Player, I discovered this disturbing system behavior. To run AMP, you have to install Adobe AIR first. You go to http://get.adobe.com/amp/ and hit "Install Now" (which is Flash content btw). The usual behavior for installing apps is that a *.dmg file appears in your Downloads directory (whatever you have set that to), and if you have chosen "Open Safe Applications" or the equivalent in your Web browser (I use OmniWeb), the *.dmg will be mounted and there you will see either the app itself, or an intaller. What happens in this case, though, is that the Flash window says, Adobe AIR Installer: INstalling this application requires Adobe AIR, which will also be downloaded and installed. Press yes to continue. After a moment, an app automatically launches to install AMP. This app is located in /private/var/folders/st/stI75rVOGHylzp56-M2VD++++TI/-Tmp-/airW2sAR6/Adobe\ AIR\ Installer.app/Contents/Frameworks/Adobe\ AIR.framework/Versions/1.0/Resources/Adobe\ AIR\ Application\ Installer.app. This is obviously a huge security hole unless Ive missed something. Clicking on a web link launches an app without any further consent by the user. And there are other application files in the /private/var/folders/ directory; these are all owned by the user and could be modified by the automatically launched app. The possibilities are endless for mischief. Please tell me Ive missed some component of the system that prevents such mischief.