MS to block internet apps by default in .NET
Microsoft is to implement a switch in default security settings in a forthcoming service release for the .NET Framework. As shipped, the default policy will be not to allow managed code to run from the Internet. Think about that one for a moment and then think about what you thought .NET was supposed to be about, folks - but don't worry, you can always switch it back on.
In a posting to a .NET discussion group, .NET client architect Chris Anderson explained this, somewhat redundantly, as meaning that "we are secure by default." He also said Microsoft was continuing to "comb the product for quality and security issues." Under the new regime it will be possible to turn running code from the Internet zone back on via the .NET Framework security utilities, or "you can easily add a web site into the Trusted Sites internet explorer zone, add a site to the .NET Framework security settings, or set the .NET Framework to trust a specific publisher or strong name or hash value, etc."
Given the blizzard of security bad news that has engulfed Microsoft of late, and Bill Gates' consequent discovery of security as the number one priority, it would seem obvious that the .NET switch is in some way connected, and that "secure by default" (which we note is an OpenBSD slogan) will be guesting in Redmond marketing campaigns Real Soon Now.
The real point, as Anderson makes clear further on in the posting, is: "We believe that one of the most compelling usage of safe mobile code is in the corporate intranet. By changing the default for the internet zone, we make it safer for corporations to deploy the .NET Framework in their networks."
Alternatively, if Microsoft can say to its corporate customers that .NET is absolutely secure because only your own trusted applications will run, and you're in no danger from stuff from out in the badlands, then they're less likely to foot-drag because of their perception that Microsoft products are dangerously insecure. Put simply, Microsoft needs a brick wall it can point to.
The move does however represent a serious downscaling of what .NET was originally supposed to be about, and is going to foreground trust as an issue as it rolls out beyond corporate intranets. Nor is it the entire answer (remember that when the Microsoft sales people come round). If an application can manage to persuade IE that it's running in a secure zone, then you're still knackered. We believe this happened relatively recently...
- Nvidia opens books to SEC investigation
- Intel and Cisco at odds over high speed wireless future
- Keygen routine producing valid WinXP product keys?
- Compaq seize counterfeit components
- Apple slams MPEG 4 licensing terms
- Report favours open source, Windows mix for Bundestag
- Dell rolls out GPRS notebooks across Europe
- Best Buy offers $30 discount to GeForce-4 disappointees
- IBM Memory Keys in mystery virus infection
- Koreans pump DRAM prices - again
- Censor-buster Peek-A-Booty goes public
- FCC loosens controls over Ultra-Wideband
- Paris Bourse scrutinises Guillemot accounts
- Kickme.to fends off BSA warez 'fishing expedition'
- Avantgo weeds out custom channel 'abuse'
- Next gen DVD standard agreed
- MS, Intel, TI and HP pitch PDA- phone combo blueprints
- Nvidia touts for workstation biz with Quadro4 family
