.NET Applets

Did you know you can write 'applets' in .NET?  If you have .NET Framework installed, look at your Internet Explorer's Internet zone security settings, specifically the .NET Framework-reliant components section.  Unless you changed your security settings, your IE is configured to silently download and run both code written in .NET.  It doesn't matter whether the code is signed with Authenticode or not.

A good example of .NET applets/controls — note that Microsoft probably calls them something else (web controls?) — is this VG.net demo.  VG.net is a pure .NET vector drawing library.  BTW, you'll need Windows, IE, and .NET Framework to see the demo.  Once you have seen the demo, View Source of the web page.  It has nothing but reference to a style sheet and an object tag.

The style sheet is just used to stretch the object tag to fill the page.  The object tag references a DLL, WebControls.dll, located at myxml.com website.  IE loads the 'applet', notes that it's a .NET library, checks IE security settings, and runs the DLLs inside a sandbox of sort for security sake.

A brief visit to the .NET Runtime Security Policy reveals that, for the Internet zone, .NET 'applets' can use File Open dialog, paint into the 'safe' top-level windows (probably means the window they instantiated in), print 'safely' (huh?), and are given 10K of domain-specific isolated storage as well as a private clipboard, size of which may or may not be counted toward that 10K.  I am not sure whether the isolated storage is persistent or not.

I am not too worried about the Internet zone security policy, but the security policy for LocalIntranet zone does raises some concerns.  For example, there is no UI restrictions at all and isolated storage size limit is set to some huge number.  Note that I haven't figured out the specific implications of these settings yet and I doubt Microsoft engineers haven't vetted the sanity of the default security settings.  So I think it's early to sound any alarm.  But I am intrigued and disturbed.