Microsoft's recent arrogant and irresponsible reply to the Chaos Computer Club hack on ActiveX requires response. An effective response would be to steal the key of a major code signer and produce a signed, malicious ActiveX control. Such an attack would demonstrate the serious problems of Microsoft's security philosophy. Hackers have known since ActiveX was announced that its security model is ridiculous. Signatures are not enough to protect users from malicious code. Exploder and the CCC hack have done a great job of demonstrating practical examples of why ActiveX is dangerous. The CCC hack in particular has made the ActiveX security issue visible enough that Microsoft has been forced to respond publically. Unfortunately, their published response on http://www.microsoft.com/security/ does not begin to admit the fundamental flaws in ActiveX. Instead, they continue to hide behind code signatures and mislead the public that their system is no less secure than Java. The obvious response to Microsoft's attempt at damage control is to demonstrate an attack with a control signed by a reputable party. There are three ways to do this: subvert an existing signed control, subvert the signature protocols, or steal a signing key. Subverting existing signed controls is an interesting avenue. Currently used ActiveX controls have implementation bugs that could be exploited in an attack. Finding one would be a fair amount of work, however, and a successful attack would only show that code has bugs, not demonstrate the fundamental flaw in relying on code signatures. The signature protocols of Authenticode are presumably secure - getting signatures right is well understood. Still, does anyone have information on exactly how the signatures work? The best avenue of attack is stealing the secret key of a respected code signer. The target should be one of the major players, if not Microsoft itself. Someone is sloppy to store their secret key on a machine hooked to the Internet. Stealing it would be a very nice challenge. It should be doable. Stealing the key itself will almost certainly be an illegal act. Morally, the demonstration signed control should itself not do damage. Something like the Exploder control (which warns the user before shutting down the machine) should be good enough to show the flaws of ActiveX without causing trouble. A public discussion about how to best go about this attack should be interesting. For obvious reason, the attack itself would have to be done in secrecy.