1

Creating an OOB with silverlight is very easy and I think it is a good thing. However, it is also easy to create an application that require higher privilege and with only one click, a user can "allow" the program to do everything on his computer.

Am I correct? Am I correct to feel we are gone back to IE 6's days when executing a harmful activex was so easy?

"Desktop" .Net framework use a Code Access Security to reduce the threat perimeter. Does SL too?

BenMorel
  • 34,448
  • 50
  • 182
  • 322
Steve B
  • 36,818
  • 21
  • 101
  • 174
  • 5
    I'm sorry, but what stops you from clicking a download link to an EXE file which then prompts you with the UAC prompt, you click OK, and there's an EXE running as admin doing whatever it wants with your computer? In other words, how is Silverlight OOB any different? – Sasha Goldshtein Feb 01 '11 at 13:23
  • Good point Sasha. Silverlight OOB app doesn't have access at least to every element on your computer. – Rafal Spacjer Feb 01 '11 at 13:25
  • SL OOB simplify this process as there is no download (from the point of view of the user) and only a check box has to be clicked. I hope most of users are educated that running an exe from the web can be evil... not simply checking a box. – Steve B Feb 01 '11 at 13:25
  • @raf: the SL app gets the current logued user rights... isn't it ? Or the SL is limited to non-elevated operations ? – Steve B Feb 01 '11 at 13:26
  • 2
    Yes, even with elevated trust permission SL OOB is limited. Take a look here: http://msdn.microsoft.com/en-us/library/ee721083(v=vs.95).aspx – Rafal Spacjer Feb 01 '11 at 13:42
  • thanks for your feedback. Feel free to post them as an answer. I'll be pleased to mark as answer – Steve B Feb 01 '11 at 13:45
  • 2
    As to elevated trust being limited - it is, but at least on Windows with COM, you can escape via COM and do just about anything. They're still of course running with no more permissions than the user (in some cases, less - see my answer about stripping the security token) so it's no worse than an EXE or VBScript or anything else. But it's a pretty good policy IMO to treat a Trusted Application as just as powerful/dangerous as a native app on Windows due to COM. Mac is more restricted. – Austin Lamb Feb 02 '11 at 07:53

3 Answers3

5

Silverlight implements many mitigations to make this less scary than you think it is.

  1. OOB apps are, by default, sandboxed - so most of them should have no more permissions than an app in-browser would have.

  2. OOB apps (on Windows) intentionally restrict their security token when launching, so even if launches as an admin, they strip themselves of admin rights and re-launch (sllauncher.exe does this, the app has no say in it).

  3. There is a registry key that can be set at the HKLM level that allows administrators of, say, corporate networks to disallow all installations of OOB apps, or to disallow only the installation of (or running of) Trusted Applications. So, with a little group policy, the user can't even run these if they want to - compared to an EXE, which they surely can run under their own security context.

Austin Lamb
  • 3,116
  • 1
  • 22
  • 13
3

Silverlight OOB is not an alternative for Web Apps but for Desktop Apps.
And SL does use the same CAS as Fx4 (which is a little less than Fx 35 and before).

So it is certainly not worse than the alternatives, with the potential to make it safer.

H H
  • 263,252
  • 30
  • 330
  • 514
2

Trusted Silverlight OOB App on Windows should be considered as dangerous as EXE. That is because with little help from COM interop it can download EXE file to the user's computer and execute it.

Check out Silverlight security whitepaper for some extra information: http://download.microsoft.com/download/A/1/A/A1A80A28-907C-4C6A-8036-782E3792A408/Silverlight%20Security%20Overview.docx

Denis
  • 4,115
  • 1
  • 18
  • 20