Google has decided to throw away years of progress in Web security, JIT interpreters, and general common sense and implemented a weak rehash of the ActiveX control. Dubbed Native Client, this new plug-in architecture will allow websites to deliver raw x86 code to users in an attempt to “create richer and more dynamic browser-based applications.”
First of all, there is nothing browser-based about running native code. The browser is simply the distribution medium for your native application. Is Google admitting that AJAX and browser applications aren’t all they’re cracked up to be?
In all the hilarious irony however, we shouldn’t lose sight of how awfully bad this idea really is. I mean, it’s just a terrible idea. Pushing raw machine code down the pipes is not a reasonable solution to the problem. We tried this with ActiveX – it’s been a mess. Sure, they’ve put some thought to security – a thinly veiled ‘sandbox’ that statically analyzes the bytes for any “dangerous commands” before it executes. Yeah, I’m sure no one is going to find a way around that….
Really, it’s ideas like this that guarantee that anti-virus vendors will always have a job…