No announcement yet.

Are HTA's a no-no nowadays?

  • Filter
  • Time
  • Show
Clear All
new posts

  • Are HTA's a no-no nowadays?

    I have this idea to use an HTA to bridge the gap between local and remote.

    The HTA seems to be able to by-pass all security stuff, this is very handy for us.
    Of course the hta is delivered as trusted file from our website, our users will use it.

    My idea is to create minimal local hta and update it with the latest HTA contents from the internet.
    Since an HTA *can* make the bridge between local and remote it would be very handy to download and execute generic win32 apps.

    No worries, nothing related to virusses and so, otherwise we would spread a plain exe.
    But this is often an issue if it needs to connect to a remote server.

  • #2
    HTA's down side is client trust. It is just like any other scripting language out there- good or evil may come of it.

    I used some HTA's and they passed audits, in the company intranet. This was a few year back, again what was safe yesterday has gaping holes in it today.

    Not all platforms support HTA - then again I think in your case it does not matter.
    A dozen what.


    • #3
      I consider anything that downloads executable content from the outside to your local PC *without* user intervention a "no no" these days.

      Besides that, most AV/Firewalls will interfere with this kind of activity. If configure to your security software to ignore that HTA (or any other, similar application), you've just created a security hole on that system.

      I prefer software that displays a notification about new avaliable updates and lets me decide wether I would like to download them (now) or not.

      Yes, that might become a hassle, but these days, better be safe than sorry. If your customers demands some kind of automation, make them aware of the security issues involved.


      • #4
        I am with you Knuth, no worries.

        This is indeed for audit stuff and users will get notified about this.
        Also, any content send will be send with ssl.
        I think i'll abandon hta's for the moment and stick to my PB app with interactive webcontrol.

        HTA's are to limited (like cleaning up custom stuff from the HD etc).

        We need to obain data from a local device (database etc) and post it to the website.
        I have several ideas how to solve this but maybe there is an ingenius way to bring a local db's content to the internet (just on demand)
        The connection can be any database.
        Frankly even exported files should be read, so no DB connection.
        We have such a tool which does > 200 importtypes but is not that integrated for local <> remote use yet.
        That's what i am doing at the moment.