Posted by Andy Dingley on 01/20/06 15:56

On Fri, 20 Jan 2006 07:35:09 GMT, Joe Barta <jbarta@apk.net> wrote:

>So to you, ANYTHING related to IE is generically suspect?

Not to me.

But IE has glaring holes in it. One of the most concerning of these
holes is the huge reliance on sandboxing when it comes to ActiveXs. This
is tricky enough for HTML but when it comes to HTAs they have so much
implict trust around them that many of the usual controls are no longer
applied. HTAs aren't just .EXEs, they're uncontrolled EXEs running in a
context where external access is likely and unsuspicious - a sneaky HTA
is a gateway to _anything_ happening.

I've also used one HTA that was a badly-architected intranet app. This
was delivered by a central server outside the control of the user and if
their _local_ filesystem wasn't organised in the same way as the
original developer's, then it deleted part of the filesystem tree! It's
a way to deploy potentially damaging EXEs to many users (and many
contexts) whilst encouraging careless developers to now fully think
through the issues of deployment.

[Back to original message]