Overview

The are no known security issues involving the distribution and deployment of MenuBox. MenuBox operates like any other binary application (.exe), which is trusted by default and which as such may open document and launch other applications.

If you decide to use MenuBox as a browser container to operate an internet kiosk-like system or to otherwise access content which is not under your control and which may contain potentially malicious code, then you should consider setting the NoExecute and the NoRegistry configuration keys.

The MenuBox Extended DOM

The MenuBox Extended Document Object Model (DOM) allows HTML code to perform certain actions that are normally reserved to binary applications (such as, for example, non-HTML AutoRun tools). Whereas this does not introduce any new security implications when running in a local context (e.g. CD or DVD AutoRun), this is normally considered "dangerous" when running in an untrusted internet context (e.g. MenuBox used to operate a kiosk with general internet access).

The MenuBox Extended DOM inherits and is bound by the security privileges of the MenuBox application itself. More specifically, because the MenuBox redistributable runtime code is digitally signed with Microsoft Authenticode technology, MenuBox is bound by the policies which apply to signed applications.

Local, AutoRun and Non-Internet Kiosk Deployment

When a user and/or an administrative policy allow the MenuBox executable to run (from a CD or DVD, or after software installation, etc.), that implies that MenuBox has been trusted and authorized to act as a menu-like front-end for opening certain known documents and programs. This is perfectly fine, and would apply in exactly the same way to any installed or AutoRun-launched application.

Because normal web browsers were designed to protect the user from executing unknown and potentially malicious code in an unknown internet environment, rather than being deployed in a controlled distribution, much of the "trusted" functionality is normally not accessible to Dynamic HTML content, which is not even allowed to close the browser window without a warning message being displayed to the user (not to mention running an executable file). MenuBox overcomes these limitations with the Extended DOM which is part of the MenuBox HTML window mode.

When operating in this context, the MenuBox Extended DOM provides a useful extension to the functionality which is normally accessible to HTML code, allowing the browser container to operate like a binary application, without introducing new security risks compared to other applications.

Access to the System Registry

The GetRegistry method of the MenuBox Extended DOM gives read-only access to registry keys and values, with functionality being limited to checking whether a key exists and to read an existing value.

In consideration of possible security concerns, MenuBox does not offer any functionality to write to an arbitrary registry location.

Nonvolatile Storage Sandbox

The GetNV and SetNV methods of the MenuBox Extended DOM provide read/write access to nonvolatile variables. This information is stored in the current user's registry, inside a publisher-specific subkey (a publisher is a MenuBox licensee with a unique software license key) stored inside a MenuBox-specific key (effectively, a sandbox).

In consideration of possible security concerns, the name of the variables is both normalized (""", "/", "\" and ":" are converted to underscore characters) and truncated after 254 characters to help prevent potential buffer overrun, key traversal and other exploits. A maximum size of 2048 bytes is enforced for all values.

As is the case with public Windows registry key, any application that can read or write to the system registry can access or modify these variables, which are simple and accessible by design.

File Access

The ReadFile and WriteFile methods of the MenuBox Extended DOM provide read/write access to private files stored inside a publisher-specific data directory (a publisher is a MenuBox licensee with a unique software license key) stored inside a MenuBox-specific per-user (roaming) data storage directory. The ReadFile and WriteFile methods do not allow access outside of this sandbox.

In consideration of possible security concerns, the name of the file names is both normalized (""", "/", "\" and ":" are converted to underscore characters) and truncated after 254 characters to help prevent potential buffer overrun, directory traversal and other exploits.

Unrestricted Internet Kiosk Deployment

If MenuBox is used to operate a kiosk-like environment with general access to untrusted internet sites, then it would in theory be possible, for example, for a malicious person to access the kiosk and deliberately open an internet page containing malicious code, and execute that code via the MenuBox Execute function. On newer versions of Windows (Windows XP SP1 and higher) this attempted execution of code originating from the internet would in turn trigger the display of a warning message.

When operating in such an untrusted context it is in general recommended to disable the Execute functionality by setting the MenuBox NoExecute key.

It would in theory also be possible to use the SetNV function to write a large number of nonvolatile variables, with the potential to fill up the registry. This can be prevented by setting the NoRegistry key, which at the same time also blocks all registry access, including the read-only access provided by the GetRegistry method. Similarly, a wasteful use of file writes can be prevented by setting the NoFiles key.