Good reasons for not letting the browser launch local applications

Question

Hello all,

I know this might be a no-brainer, but please read on.

I also know it's generally not considered a good idea, maybe the worst, to let a browser run and interact with local apps, even in a intranet context.

We use citrix for home-office, and people really like it. Now, they would like the same kind of environment at work, a nice page where every important application/document/folder is nicely arranged and classified in an orderly fashion. These folks are not particularly tech savvy; I don't even consider thinking that they could understand the difference between remote delivered applications and local ones.

So, I've been asked if it's possible. Of course it is, with IE's good ol' ActiveX controls. And I even made a working prototype (that's where it hurts).

But now, I doubt. Isn't it madness to allow such 'dangerous' ActiveX controls, even in the 'local intranet' zone ? People will use the same browser to surf the web, can I fully trust IE ? Isn't there a risk that Microsoft would just disable those controls in future updates / versions ? What if a website, or any kind of malware, just puts another site in the trust list ? With that extent of control, you could as well uninstall every protection and just run amok 'till you got hanged by the IT dept.

I'm about to confront my superiors with the fact that, even if they saw it is doable, it would be a very bad thing. So i'm desperately in need of good and strong arguments, because "let's don't" won't do it.

Of course, if there is nothing to be scared of, that'll be nice too. But I strongly doubt that..

Answer 1

We use citrix for home-office, and people really like it. Now, they would like the same kind of environment at work, a nice page where every important application/document/folder is nicely arranged and classified in an orderly fashion

I haven't used citrix very many times, but what's it got to do with executing local applications? I don't see how "People like citrix" and "browser executing local applications" relate at all?

If the people are accessing your citrix server from home, and want the same experience in the office, then buy a cheap PC, and run the exact same citrix software they run on their home computers. Put this computer in the corner and tell them to go use it. They'll be overjoyed.

Isn't it madness to allow such 'dangerous' ActiveX controls, even in the 'local intranet' zone ? People will use the same browser to surf the web, can I fully trust IE ?

Put it this way. IE has built in support for AX controls. It uses it's security mechanisms to prevent them from running unless in a trusted site. By default no sites are trusted at all.

If you use IE at all then you're putting yourself at the mercy of these security mechanisms. Whether or not you tell it to trust the local intranet is beside the point, and isn't going to affect the operation of any other zones.

The good old security holes that require you to reboot your computer every few weeks when MS issues a patch will continue to exist and cause problems, regardless of whether you allow activex in your local intranet.

Isn't there a risk that Microsoft would just disable those controls in future updates / versions ?

Since XP-SP2, microsoft have been making it increasingly difficult to use ActiveX controls. I don't know how many scary looking warning messages and "This might destroy your computer" dialogs you have to click through these days to get them to run, but it's quite a few. This will only get worse over time.

Answer 2

Well thanks, but let me straigthen this out:

I haven't used citrix very many times, but what's it got to do with executing local applications? I don't see how "People like citrix" and "browser executing local applications" relate at all?

Ok, I wasn't all clear there.. Wel, the 'experience'. Click on it, and something launches.
They want the same functionnality, and categorize the whole mess. The standard citrix homepage (or how we use it) is a simple web page with program icons. Click on it, and the application get's delivered to you. People want the same thing, at work, with their applications/folders/documents. And because I'm a web developer, and they asked me, I do it with a web page... Perhaps I should pass the whole thing over to the VB guy..

If the people are accessing your citrix server from home, and want the same experience in the office, then buy a cheap crappy PC, and run the exact same citrix software they run on their home computers. Put this computer in the corner and tell them to go use it. They'll be overjoyed.

Well, sure, that's what I told. But there is some stuff that we can not launch from the citrix server, that has to be executed locally. There's a citrix guy coming over in a few weeks I just heard, perhaps it's possible to work something out.

Answer 3

Microsoft is walking a fine line. On one hand, they regularly send ActiveX killbits with Windows Update to remove/disable applications that have been misbehaving. On the other hand, the latest version of Sharepoint 2007 (can't speak for earlier versions) allows for Office documents to be opened by clicking a link in the browser, and edited in the local application. When the edit is finished, the changes are transmitted back to the server and the webpage (generally) is refreshed. This is only an IE thing, as Firefox will throw up an error message.

I can see the logic behind it, though. Until Microsoft gets all of their apps 'in the cloud', there are cases that need to bridge the gap between the old client-side apps and a more web-centric business environment. While there is likely a non-web workaround, more and more information workers have come to expect that a large portion of their work will be done in a browser. Anything that makes the integration with the desktop easier is not going to be opposed by anyone except the sysadmins.

Answer 4

The standard citrix homepage (or how we use it) is a simple web page with program icons. Click on it, and the application get's delivered to you. People want the same thing, at work, with their applications/folders/documents. And because I'm a web developer, and they asked me, I do it with a web page... Perhaps I should pass the whole thing over to the VB guy..

Ahh... I know of 2 ways to accomplish this:

You can embed internet explorer into an application, and hook into it and intercept certain kinds of URL's and so on

I saw this done a few years ago - a telephony application embedded internet explorer in itself, and loaded some specially formatted webpages.

In the webpage there was this:

<a href="dial#1800-234-567">Call John Smith</a>

Normally this would be a broken URL, but when the user clicked on this link, the application containing the embedded IE got notified, and proceeded to execute it's own custom code to dial the number from the URL.

You could get your VB guy to write an application which basically just wraps IE, and has handlers for executing applications. You could then code normal webpages with links to just open applications, and the VB app would launch them. This allows you to write your own security stuff (like, only launch applications in a preset list, or so on) into the VB app, and because VB is launching them, not IE, none of the IE security issues will be involved.

The second way is with browser plug-ins.

For example, skype comes with a Firefox plug-in, which looks for phone-numbers in web-pages, and attaches special links to them. When you click on these links it invokes skype - you could conceivably do something similar for launching your citrix apps.

You'd then be tied to firefox though. Writing plugins for IE is much harder than for FF, I wouldn't go down that path unless forced to.