[3051] in WWW Security List Archive
RE: Another security problem reported in Microsoft's Internet Explor
daemon@ATHENA.MIT.EDU (Sanjay Menon)
Tue Sep 24 16:17:02 1996
From: Sanjay Menon <sanjayme@microsoft.com>
To: "'trei@process.com'" <trei@process.com>,
"'www-security@ns2.rutgers.edu'" <www-security@ns2.rutgers.edu>
Date: Tue, 24 Sep 1996 11:41:11 -0700
Errors-To: owner-www-security@ns2.rutgers.edu
Peter,
You're absolutely right - when you agree to let code run on your system
there are many undesirable things it can do. This is a problem that
spans all computing platforms and types of code to some degree or
another, and ActiveX controls are no exception. But if the Web has made
it easier for publishers to distribute code, it's also made it easier to
identify and spread the word on malicious code. We think Authenticode
helped a great deal here since the industry was quickly able to identify
the author of the code and ask for a fix. Had the authors refused there
would have been a variety of further enforcement options open, through
both business and legal action. Given Authenticode's goal of providing
an accountability trail, we think it did it's job more than adequately
in this instance.
Sanjay Menon
Program Manager, Microsoft Corporation
>-----Original Message-----
From: Peter Trei [SMTP:trei@process.com]
Sent: Monday, September 23, 1996 9:04 AM
To: www-security@ns2.rutgers.edu; cypherpunks@toad.com
Cc: trei@process.com
Subject: Another security problem reported in Microsoft's Internet
Explor
(This is posted to both www-security and cypherpunks. Please be
careful where you send responses).
See:
http://www.news.com/News/Item/0,4,3707,00.html
at C|net's news site for the whole story.
Short version:
InfoSpace has released a program as an IE plugin, which,
once the user has agreed to install it, registers InfoSpace
as a 'trusted publisher' in Explorer. This apparently means that
later requests to download Infospace programs would not
trigger the dialog boxes requesting permission to download.
InfoSpace describes this as a bug, and is releasing a corrected
version.
Commentary:
I hope that all IE plugin (ActiveX, script, whatever) publishers are
as responsive.
Ideally, I suppose, a downloaded executable component should
not be able to silently manipulate the security policies of the system
it
arrives on, but it's hard to see how to prevent this in Microsoft's
active
content model.
The Java model is more robustly protected against this problem,
but as a result is not as capable.
The scary thing is that a clever author of Trojan horses could write an
ActiveX control which does nothing but open the gates, and let other
programs in without the Authenticode check. It could even let in
another version of itself, which is also properly signed, but has no
malicous code. Thus, it could cover it's tracks.
Peter Trei
trei@process.com
Disclaimer: I do not represent my employer.
