Feeds

MS to block internet apps by default in .NET

It's the corporates, stoopid...

  • alert
  • submit to reddit

Build a business case: developing custom apps

Microsoft is to implement a switch in default security settings in a forthcoming service release for the .NET Framework. As shipped, the default policy will be not to allow managed code to run from the Internet. Think about that one for a moment and then think about what you thought .NET was supposed to be about, folks - but don't worry, you can always switch it back on.

In a posting to a .NET discussion group, .NET client architect Chris Anderson explained this, somewhat redundantly, as meaning that "we are secure by default." He also said Microsoft was continuing to "comb the product for quality and security issues." Under the new regime it will be possible to turn running code from the Internet zone back on via the .NET Framework security utilities, or "you can easily add a web site into the Trusted Sites internet explorer zone, add a site to the .NET Framework security settings, or set the .NET Framework to trust a specific publisher or strong name or hash value, etc."

Given the blizzard of security bad news that has engulfed Microsoft of late, and Bill Gates' consequent discovery of security as the number one priority, it would seem obvious that the .NET switch is in some way connected, and that "secure by default" (which we note is an OpenBSD slogan) will be guesting in Redmond marketing campaigns Real Soon Now.

The real point, as Anderson makes clear further on in the posting, is: "We believe that one of the most compelling usage of safe mobile code is in the corporate intranet. By changing the default for the internet zone, we make it safer for corporations to deploy the .NET Framework in their networks."

Alternatively, if Microsoft can say to its corporate customers that .NET is absolutely secure because only your own trusted applications will run, and you're in no danger from stuff from out in the badlands, then they're less likely to foot-drag because of their perception that Microsoft products are dangerously insecure. Put simply, Microsoft needs a brick wall it can point to.

The move does however represent a serious downscaling of what .NET was originally supposed to be about, and is going to foreground trust as an issue as it rolls out beyond corporate intranets. Nor is it the entire answer (remember that when the Microsoft sales people come round). If an application can manage to persuade IE that it's running in a secure zone, then you're still knackered. We believe this happened relatively recently... ®

Boost IT visibility and business value

More from The Register

next story
Video of US journalist 'beheading' pulled from social media
Yanked footage featured British-accented attacker and US journo James Foley
Kate Bush: Don't make me HAVE CONTACT with your iPHONE
Can't face sea of wobbling fondle implements. What happened to lighters, eh?
Caught red-handed: UK cops, PCSOs, specials behaving badly… on social media
No Mr Fuzz, don't ask a crime victim to be your pal on Facebook
Ballmer leaves Microsoft board to spend more time with his b-balls
From Clippy to Clippers: Hi, I see you're running an NBA team now ...
Amazon takes swipe at PayPal, Square with card reader for mobes
Etailer plans to undercut rivals with low transaction fee offer
Microsoft exits climate denier lobby group
ALEC will have to do without Redmond, it seems
Assange™: Hey world, I'M STILL HERE, ignore that Snowden guy
Press conference: ME ME ME ME ME ME ME (cont'd pg 94)
Call of Duty daddy considers launching own movie studio
Activision Blizzard might like quality control of a CoD film
US regulators OK sale of IBM's x86 server biz to Lenovo
Now all that remains is for gov't offices to ban the boxes
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 10 endpoint backup mistakes
Avoid the ten endpoint backup mistakes to ensure that your critical corporate data is protected and end user productivity is improved.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Rethinking backup and recovery in the modern data center
Combining intelligence, operational analytics, and automation to enable efficient, data-driven IT organizations using the HP ABR approach.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.