1996-09-24 - Another security problem reported in Microsoft’s Internet Explor

Header Data

From: “Peter Trei” <trei@process.com>
To: cypherpunks@toad.com
Message Hash: 777007d2e87940ac30f9869d150477e759c11c1c994503d31058e4beb69ec137
Message ID: <199609232003.NAA24214@toad.com>
Reply To: N/A
UTC Datetime: 1996-09-24 02:03:35 UTC
Raw Date: Tue, 24 Sep 1996 10:03:35 +0800

Raw message

From: "Peter Trei" <trei@process.com>
Date: Tue, 24 Sep 1996 10:03:35 +0800
To: cypherpunks@toad.com
Subject: Another security problem reported in Microsoft's Internet Explor
Message-ID: <199609232003.NAA24214@toad.com>
MIME-Version: 1.0
Content-Type: text/plain


(This is posted to both www-security and cypherpunks. Please be
careful where you send responses).

See:
http://www.news.com/News/Item/0,4,3707,00.html 
at C|net's news site for the whole story. 

Short version:

InfoSpace has released a program as an IE plugin, which,
once the user has agreed to install it, registers InfoSpace
as a 'trusted publisher' in Explorer. This apparently means that 
later requests to download Infospace programs would not 
trigger the dialog boxes requesting permission to download.

InfoSpace describes this as a bug, and is releasing a corrected
version. 

Commentary:

I hope that all IE plugin (ActiveX, script, whatever) publishers are
as responsive.

Ideally, I suppose, a downloaded executable component should
not be able to silently manipulate the security policies of the system it
arrives on, but it's hard to see how to prevent this in Microsoft's active
content model.

The Java model is more robustly protected against this problem,
but as a result is not as capable.

The scary thing is that a clever author of Trojan horses could write an
ActiveX control which does nothing but open the gates, and let other
programs in without the Authenticode check. It could even let in 
another version of itself, which is also properly signed, but has no
malicous code. Thus, it could cover it's tracks.

Peter Trei
trei@process.com 
Disclaimer:  I do not represent my employer.





Thread