DELETED
- DraconPern
- Site Admin
- Posts:1218
- Joined:Thu Oct 30, 2003 11:47 pm
- Location:Texas
- Contact:
Just to answer your question on security, because I know everyone is wondering about it.
FrontMotion Login does not use IE to use Flash, Flash is being called directly (as an ActiveX control in an Apartment threading model). This means that a bug in IE will not affect the login, only a bug in Flash will affect the security (Macromedia is pretty good at patching buffer overflow bugs, etc). You can in fact install the Flash plugin without using IE with a redistributable license from Macromedia. I have already obtained the license to do so and is looking at integrating the Flash plugin in future installs of FrontMotion Login.
Now, there are other security issues which is inhereit to an OS component such as FrontMotion Login. The central issue is that as an integral part of the OS, the component is in a sense 'trusted by default' (after all it is these components that enforces the security of the system). Inside FrontMotion Login security is enforced, and Flash by itself does not take any subversive action unless directed by the swf movie file. Flash files cannot be hacked to 'go around' the login security, eg, they still won't be able to login without a password. However, the swf file can take subversive actions that does not involve logins. For example, a bad swf file can send what the user typed in like their password to another computer using a http post. This obviously will eventually lead to a security problem down the road.
Now, the only way that a malicious swf can be used is if a user with admin access specifies that the swf is to be used. That security is enfored through the registry key (only Administrators have write access to the LocalMachine key), and directory security (only Administrators and PowerUsers can write to the system32 and sub directories)
In the end it boils down to making sure you only run swf files that do not have malicious code and treat it just like other software that you will run on the computer.
FrontMotion Login does not use IE to use Flash, Flash is being called directly (as an ActiveX control in an Apartment threading model). This means that a bug in IE will not affect the login, only a bug in Flash will affect the security (Macromedia is pretty good at patching buffer overflow bugs, etc). You can in fact install the Flash plugin without using IE with a redistributable license from Macromedia. I have already obtained the license to do so and is looking at integrating the Flash plugin in future installs of FrontMotion Login.
Now, there are other security issues which is inhereit to an OS component such as FrontMotion Login. The central issue is that as an integral part of the OS, the component is in a sense 'trusted by default' (after all it is these components that enforces the security of the system). Inside FrontMotion Login security is enforced, and Flash by itself does not take any subversive action unless directed by the swf movie file. Flash files cannot be hacked to 'go around' the login security, eg, they still won't be able to login without a password. However, the swf file can take subversive actions that does not involve logins. For example, a bad swf file can send what the user typed in like their password to another computer using a http post. This obviously will eventually lead to a security problem down the road.
Now, the only way that a malicious swf can be used is if a user with admin access specifies that the swf is to be used. That security is enfored through the registry key (only Administrators have write access to the LocalMachine key), and directory security (only Administrators and PowerUsers can write to the system32 and sub directories)
In the end it boils down to making sure you only run swf files that do not have malicious code and treat it just like other software that you will run on the computer.
FrontMotion Lead Developer