Feeds

MS to block internet apps by default in .NET

It's the corporates, stoopid...

  • alert
  • submit to reddit

Internet Security Threat Report 2014

Microsoft is to implement a switch in default security settings in a forthcoming service release for the .NET Framework. As shipped, the default policy will be not to allow managed code to run from the Internet. Think about that one for a moment and then think about what you thought .NET was supposed to be about, folks - but don't worry, you can always switch it back on.

In a posting to a .NET discussion group, .NET client architect Chris Anderson explained this, somewhat redundantly, as meaning that "we are secure by default." He also said Microsoft was continuing to "comb the product for quality and security issues." Under the new regime it will be possible to turn running code from the Internet zone back on via the .NET Framework security utilities, or "you can easily add a web site into the Trusted Sites internet explorer zone, add a site to the .NET Framework security settings, or set the .NET Framework to trust a specific publisher or strong name or hash value, etc."

Given the blizzard of security bad news that has engulfed Microsoft of late, and Bill Gates' consequent discovery of security as the number one priority, it would seem obvious that the .NET switch is in some way connected, and that "secure by default" (which we note is an OpenBSD slogan) will be guesting in Redmond marketing campaigns Real Soon Now.

The real point, as Anderson makes clear further on in the posting, is: "We believe that one of the most compelling usage of safe mobile code is in the corporate intranet. By changing the default for the internet zone, we make it safer for corporations to deploy the .NET Framework in their networks."

Alternatively, if Microsoft can say to its corporate customers that .NET is absolutely secure because only your own trusted applications will run, and you're in no danger from stuff from out in the badlands, then they're less likely to foot-drag because of their perception that Microsoft products are dangerously insecure. Put simply, Microsoft needs a brick wall it can point to.

The move does however represent a serious downscaling of what .NET was originally supposed to be about, and is going to foreground trust as an issue as it rolls out beyond corporate intranets. Nor is it the entire answer (remember that when the Microsoft sales people come round). If an application can manage to persuade IE that it's running in a secure zone, then you're still knackered. We believe this happened relatively recently... ®

Choosing a cloud hosting partner with confidence

More from The Register

next story
MI6 oversight report on Lee Rigby murder: US web giants offer 'safe haven for TERRORISM'
PM urged to 'prioritise issue' after Facebook hindsight find
Assange™ slumps back on Ecuador's sofa after detention appeal binned
Swedish court rules there's 'great risk' WikiLeaker will dodge prosecution
NSA mass spying reform KILLED by US Senators
Democrats needed just TWO more votes to keep alive bill reining in some surveillance
'Internet Freedom Panel' to keep web overlord ICANN out of Russian hands – new proposal
Come back with our internet! cries Republican drawing up bill
What a Mesa: Apple vows to re-use titsup GT sapphire glass plant
Commits to American manufacturing ... of secret tech
prev story

Whitepapers

Choosing cloud Backup services
Demystify how you can address your data protection needs in your small- to medium-sized business and select the best online backup service to meet your needs.
Getting started with customer-focused identity management
Learn why identity is a fundamental requirement to digital growth, and how without it there is no way to identify and engage customers in a meaningful way.
Driving business with continuous operational intelligence
Introducing an innovative approach offered by ExtraHop for producing continuous operational intelligence.
Why CIOs should rethink endpoint data protection in the age of mobility
Assessing trends in data protection, specifically with respect to mobile devices, BYOD, and remote employees.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.