From: Gary Howland <gary@systemics.com>
To: cypherpunks@toad.com
Message Hash: fb3bfc7a09723e80035726b48619a47e287403b765d2359143628870f3ea26bb
Message ID: <199609231826.UAA16049@internal-mail.systemics.com>
Reply To: N/A
UTC Datetime: 1996-09-24 02:52:10 UTC
Raw Date: Tue, 24 Sep 1996 10:52:10 +0800
From: Gary Howland <gary@systemics.com>
Date: Tue, 24 Sep 1996 10:52:10 +0800
To: cypherpunks@toad.com
Subject: Security flaw in Microsft Explorer
Message-ID: <199609231826.UAA16049@internal-mail.systemics.com>
MIME-Version: 1.0
Content-Type: text/plain
Program compromises IE security
By Nick Wingfield
September 23, 1996, 10:45 a.m. PT
A start-up Internet company has posted a
program on the Net that could allow Web sites to bypass
the security controls in Internet Explorer, CNET has
learned.
The company, InfoSpace, created a program aimed at Net
search engines such as Lycos and Excite that want to
become the default search engine in Microsoft's Internet
Explorer 3.0. But the program, which is actually featured on
the Lycos Web site, manages to circumvent Explorer's
security warning window--an action that could let
InfoSpace sneak programs onto a user's personal computer
without warning.
Although the InfoSpace program apparently was not created
with malicious intent, it underscores the fragility of Internet
Explorer's security defenses, as well as broader security
issues related to downloading software over the Internet.
The InfoSpace program sidesteps a security feature in
Internet Explorer, called Authenticode, which is designed to
allow users to verify the origins of a piece of software code,
such as an ActiveX control, a script, or a plug-in. The
Authenticode system requires a user to entrust the
developer of a program, whether it's InfoSpace, Lotus
Development, or IBM, not to install viruses or other
destructive programs on the user's system.
Although Authenticode does not prevent software
developers from creating such programs, they can be held
legally accountable for bad code. That's because the
programs contain "digital signatures," a sort of ID card that
allows perpetrators to be tracked down by law enforcement
agencies. Microsoft works with VeriSign to provide digital
signatures for programs.
Last month, VeriSign took matters into its own hands by
asking a developer, Fred McLain, to remove an ActiveX
control called Exploder from his Web site. The Exploder
control was designed to crash a user's computer after
downloading.
"Code signing is not a guarantee of code quality," Charles
Fitzgerald, a product manager at Microsoft said. "It's an
accountability trail."
As with all digitally signed programs, users are offered the
option to accept or to reject the InfoSpace program before
installing it on their systems. Users are also offered the
option to bypass the Authenticode warning window for all
InfoSpace programs in the future.
But the company's program registers InfoSpace as a
"trusted publisher" in Explorer, effectively opening the
browser to intrusions. The operation is akin to inviting a
guest over to your house for dinner and having them copy
the key to your front door without permission.
InfoSpace executives denied that there was any malice
intended in its program, adding that it has provided Lycos
with an updated version of the code. Lycos plans to post the
new program later this evening, according to InfoSpace.
"It was a bug that got incorporated into the production
code," InfoSpace CEO Naveen Jain said.
Lycos CEO Bob Davis said he was not aware of the bug in
the InfoSpace program and could not comment on it. The
program is identified as Lycos Quick Search on the search
engine's site.
However, Microsoft officials expressed concern, saying it is
hard to defend against once a user has consented to
download code from the Net.
"Clearly their software is doing something a tad
aggressive," said Rob Price, a group program manager for
Internet security at Microsoft."[With Authenticode], users
are making a one-time trust decision, this is a persistent
trust decision."
Microsoft argued that Explorer provides better security than
Netscape Communications' Navigator, which does not
currently allow digital signatures on plug-ins. In Explorer,
users are warned before downloading code even if the
program does not contain a digital signature, though the
source of the program is not identified.
In contrast to plug-in software and ActiveX controls, Java
applets are prevented from damaging a user's computer
through built-in restrictions in the Java Virtual Machine.
"Java is the model for dynamic executable content on the
Net," said Eric Greenberg, group security manager at
Netscape.
Return to September 1996
Return to “Gary Howland <gary@systemics.com>”
1996-09-24 (Tue, 24 Sep 1996 10:52:10 +0800) - Security flaw in Microsft Explorer - Gary Howland <gary@systemics.com>