Internet applications could side-step browser-based security, reading and writing directly to local PCs if Microsoft Corp decides to implement a recently awarded patent.
Microsoft has secured a patent that allows an application’s author to determine whether their software should run in trusted mode, enabling or disabling security settings.
The patent appears motivated by a desire to let more non-technical programmers build applications for Windows with HTML, instead of them requiring knowledge of more specialized languages such as C++ or Visual Basic.
However, the patent, number 6,662,341 with the US Patent and Trademark Office, appears to raise security concerns.
According to an official filing, patent 6,662,341 would allow HTML applications to read from a remote computer, read the files, floppy disk or optical disk or hard disk of a local PC, or write to a local computer.
The ability for a so-called malicious user to seize control of a PC and run malicious code already forms a substantial element of the weekly security warnings issued to users by Microsoft.
By designating a file as an HTML application file, the author automatically reaps the benefits of taking advantage of relaxed security standards by not being bound by the security restrictions imposed by the browser, the patent said.
Microsoft’s patent appears to place the burden of trust on the application’s author, echoing the company’s past trust in external software developers to ship good code. Until recently, Microsoft has shipped products such as IIS and Windows with many of the factory default security settings open. Microsoft had defended this approach in the name of functionality.
The company yesterday was unable to detail its intended use of the patent, but issued a statement calling security a top priority. We are designing our products to be consistent with that priority, Microsoft technology policy director David Kaefer said.
This article is based on material originally produced by ComputerWire.