|
|
Posted by Joe Barta on 01/20/06 19:42
Andy Dingley wrote:
> On Fri, 20 Jan 2006 07:35:09 GMT, Joe Barta <jbarta@apk.net>
> wrote:
>
>>So to you, ANYTHING related to IE is generically suspect?
>
> Not to me.
>
> But IE has glaring holes in it. One of the most concerning of
> these holes is the huge reliance on sandboxing when it comes to
> ActiveXs. This is tricky enough for HTML but when it comes to HTAs
> they have so much implict trust around them that many of the usual
> controls are no longer applied. HTAs aren't just .EXEs, they're
> uncontrolled EXEs running in a context where external access is
> likely and unsuspicious - a sneaky HTA is a gateway to _anything_
> happening.
>
> I've also used one HTA that was a badly-architected intranet app.
> This was delivered by a central server outside the control of the
> user and if their _local_ filesystem wasn't organised in the same
> way as the original developer's, then it deleted part of the
> filesystem tree! It's a way to deploy potentially damaging EXEs
> to many users (and many contexts) whilst encouraging careless
> developers to now fully think through the issues of deployment.
I did a little reading, following up on your comments, thank-you.
Correct me if I'm wrong, but the big concern is specifically with
ActiveX controls, right? And anything that can potentially contain an
ActiveX control can be problematic?
Joe Barta
Navigation:
[Reply to this message]
|