[4525] in WWW Security List Archive
SBN Wire: News Flash
daemon@ATHENA.MIT.EDU (Mike Bierch)
Thu Feb 20 11:02:51 1997
Date: Thu, 20 Feb 1997 08:51:59 -0500
To: www-security@ns2.rutgers.edu
From: Mike Bierch <mbierch@thecia.net>
Errors-To: owner-www-security@ns2.rutgers.edu
>Approved-By: sbn@MICROSOFT.COM
>Encoding: 115 TEXT
>Date: Wed, 19 Feb 1997 23:41:14 -0800
>Reply-To: Site Builder Network <sbn@MICROSOFT.COM>
>Sender: Site Builder Network <SBNAll@LISTSERV.MSN.COM>
>From: Site Builder Network <sbn@MICROSOFT.COM>
>Subject: SBN Wire: News Flash
>To: SBNAll@LISTSERV.MSN.COM
>
>Dear Site Builder Network Member,
>
>Tomorrow, Microsoft will be posting the attached letter
>to our web site, and sending it out to the Internet
>Explorer community. In it, Brad Silverberg addresses
>head-on the recent security questions facing the
>industry regarding malicious, unsigned controls. We
>know this issue is important to you and your customers,
>and wanted to give you a heads-up.
>
>For more information, check out
>http://www.microsoft.com/security
>
>Best regards,
>
>Tod Nielsen
>General Manager, Developer Relations Group
>
>--------------------
>
>>From the Office of Brad Silverberg
>Senior Vice President
>Microsoft Corporation
>1 Microsoft Way
>Redmond, WA 98052
>
>
>Dear Internet Users Everywhere:
>
>You may have heard reports about a malicious
>software program created and demonstrated recently
>by the Chaos Computer Club (CCC) in Hamburg,
>Germany. I want to personally assure you that
>Microsoft(R) Internet Explorer 3.0 has the
>appropriate safeguards to protect against this type
>of threat. By using its default security level
>(High) that comes pre-set, Internet Explorer 3.0
>will not download and run any "unsigned" control
>such as the one from the CCC.
>
>The CCC demonstrated its malicious executable code
>running on Microsoft Internet Explorer 3.0, though
>they could just as easily have demonstrated a
>similar attack on any other browser. While it is
>unfortunate that hackers have created this harmful
>program, it does point out the need for users to
>act cautiously and responsibly on the Internet,
>just as they do in the physical world.
>
>Malicious code can be written and disguised in many
>ways - within application macros, Java(tm) applets,
>ActiveX(tm) controls, Navigator plug-ins, Macintosh(R)
>applications and more. For that reason, with
>Internet Explorer 3.0, Microsoft has initiated
>efforts to protect users against these threats.
>Microsoft Authenticode(tm) in Internet Explorer 3.0 is
>the only commercial technology in use today that
>identifies who published executable code you might
>download from the Internet, and verifies that it
>hasn't been altered since publication.
>
>If users choose to change the default security
>level from High to Medium, they still have the
>opportunity to protect themselves from unsigned
>code. At a Medium setting, prior to downloading
>and running executable software on your computer,
>Microsoft Internet Explorer presents you with a
>dialog either displaying the publisher's
>certificate, or informing you that an "unsigned
>control" can be run on your machine. At that
>point, in either case, you are in control and can
>decide how to proceed.
>
>As you know, Microsoft is committed to giving users
>a rich computing experience while providing
>appropriate safeguards. Most useful and productive
>applications need a wide range of system services,
>and would be seriously limited in functionality
>without access to these services. This means that
>many Java applications will have to go "outside the
>sandbox" to provide users with rich functionality.
>By signing code, a developer can take advantage of
>these rich services while giving users the
>authentication and integrity safeguards they need.
>Other firms such as Sun and Netscape are following
>our lead, and have announced that they will also
>provide code signing for Java applets. Microsoft
>will also be providing an enhanced Java security
>model in the future, giving users and developers
>flexible levels of functionality and security.
>
>Microsoft takes the threat of malicious code very
>seriously. It is a problem that affects everyone
>in our industry. This issue is not tied to any
>specific vendor or group of people. All of us that
>use computers for work, education, or just plain
>fun need to be aware of potential risks and use the
>precautions that can insure we all get the most out
>of our computers. For this reason, we are committed
>to providing great safeguards against these types
>of threats in Internet Explorer. We expect hackers
>and virus writers to get increasingly sophisticated
>but we pledge we'll continue to keep you and us
>one step ahead of them.
>
>Best regards,
>
>Brad Silverberg
>
>P.s. Be sure to check out our Web Executable
>Security Advisor at
>http://www.microsoft.com/security
>
>
