Bugtraq mailing list archives

MS signed softwrare privileges

From: cuartango () TELELINE ES (cuartango () TELELINE ES)
Date: Tue, 22 Feb 2000 16:35:38 -0000


I would like to clarify some aspects from the Elias post 
regarding Microsoft signed software.
The fact that anybody could install MS signed software 
using Active Setup component in not very important.
The issue is : MS can silently execute any code in our 
Windows systems just using their signature.
MS has privileged their code, even if your IE security 
setting "Download signed ActiveX" is set to prompt MS 
software will be installed without prompting the user.
It seems that MS has left a back door that will allow them 
to perform any action in the Windows systems just visiting 
a WEB page or opening an e-mail message.
I have prepared a demo in :
http://www.angelfire.com/ab/juan123/iengine.html

This demo shows the diferent behaviour of IE when the 
ActiveX is signed by MS or signed by others. 

This issue opens a big security and privacy hole, MS can 
take complete control over our systems using this backdoor.

In this backdoor acceptable ?
In my opinion It is not, I have worked 18 years for 
diferent OS software manufacturers and I have never 
installed one line of code without a previous user approval.

Current thread:

MS signed softwrare privileges cuartango () TELELINE ES (Feb 22)
- Re: MS signed softwrare privileges Dax Kelson (Feb 22)
- Re: MS signed softwrare privileges Bob Fiero (Feb 22)
- <Possible follow-ups>
- Re: MS signed softwrare privileges Steven M. Bellovin (Feb 23)
- Re: MS signed softwrare privileges Microsoft Product Security Response Team (Feb 23)
  - Re: MS signed softwrare privileges Simple Nomad (Feb 24)
  - BID 994, MS00-010 (Site Server Commerce Edition non-validated SQL inputs) Ben Greenbaum (Feb 25)