From cypherpunks-errors@toad.com Tue Sep 24 00:06:48 1996 Return-Path: cypherpunks-errors@toad.com Received: from toad.com (toad.com [140.174.2.1]) by oak.westol.com (8.7.5/8.6.9) with ESMTP id AAA15647 for <shadseek@westol.com>; Tue, 24 Sep 1996 00:06:48 -0400 Received: (from majordom@localhost) by toad.com (8.7.5/8.7.3) id LAA23286 for cypherpunks-outgoing; Mon, 23 Sep 1996 11:26:23 -0700 (PDT) Received: from smokey.systemics.com (smokey.systemics.com [193.67.124.65]) by toad.com (8.7.5/8.7.3) with SMTP id LAA23280 for <cypherpunks@toad.com>; Mon, 23 Sep 1996 11:26:14 -0700 (PDT) Received: from internal-mail.systemics.com (kp1HuXoYZnhRYRtN5QVHP59VjfL1vS2Z@internal-mail.systemics.com [193.67.124.74]) by smokey.systemics.com (8.6.12/8.6.12) with ESMTP id UAA10263 for <cypherpunks@toad.com>; Mon, 23 Sep 1996 20:26:00 +0200 Received: (from gary@localhost) by internal-mail.systemics.com id UAA16049 for cypherpunks@toad.com; Mon, 23 Sep 1996 20:26:40 +0200 Date: Mon, 23 Sep 1996 20:26:40 +0200 From: Gary Howland <gary@systemics.com> Message-Id: <199609231826.UAA16049@internal-mail.systemics.com> To: cypherpunks@toad.com Reply-To: gary@systemics.com Subject: Security flaw in Microsft Explorer Sender: owner-cypherpunks@toad.com Precedence: bulk X-UIDL: 843538362.000 Status: U

Program compromises IE security By Nick Wingfield September 23, 1996, 10:45 a.m. PT A start-up Internet company has posted a program on the Net that could allow Web sites to bypass the security controls in Internet Explorer, CNET has learned. The company, InfoSpace, created a program aimed at Net search engines such as Lycos and Excite that want to become the default search engine in Microsoft's Internet Explorer 3.0. But the program, which is actually featured on the Lycos Web site, manages to circumvent Explorer's security warning window--an action that could let InfoSpace sneak programs onto a user's personal computer without warning. Although the InfoSpace program apparently was not created with malicious intent, it underscores the fragility of Internet Explorer's security defenses, as well as broader security issues related to downloading software over the Internet. The InfoSpace program sidesteps a security feature in Internet Explorer, called Authenticode, which is designed to allow users to verify the origins of a piece of software code, such as an ActiveX control, a script, or a plug-in. The Authenticode system requires a user to entrust the developer of a program, whether it's InfoSpace, Lotus Development, or IBM, not to install viruses or other destructive programs on the user's system. Although Authenticode does not prevent software developers from creating such programs, they can be held legally accountable for bad code. That's because the programs contain "digital signatures," a sort of ID card that allows perpetrators to be tracked down by law enforcement agencies. Microsoft works with VeriSign to provide digital signatures for programs. Last month, VeriSign took matters into its own hands by asking a developer, Fred McLain, to remove an ActiveX control called Exploder from his Web site. The Exploder control was designed to crash a user's computer after downloading. "Code signing is not a guarantee of code quality," Charles Fitzgerald, a product manager at Microsoft said. "It's an accountability trail." As with all digitally signed programs, users are offered the option to accept or to reject the InfoSpace program before installing it on their systems. Users are also offered the option to bypass the Authenticode warning window for all InfoSpace programs in the future. But the company's program registers InfoSpace as a "trusted publisher" in Explorer, effectively opening the browser to intrusions. The operation is akin to inviting a guest over to your house for dinner and having them copy the key to your front door without permission. InfoSpace executives denied that there was any malice intended in its program, adding that it has provided Lycos with an updated version of the code. Lycos plans to post the new program later this evening, according to InfoSpace. "It was a bug that got incorporated into the production code," InfoSpace CEO Naveen Jain said. Lycos CEO Bob Davis said he was not aware of the bug in the InfoSpace program and could not comment on it. The program is identified as Lycos Quick Search on the search engine's site. However, Microsoft officials expressed concern, saying it is hard to defend against once a user has consented to download code from the Net. "Clearly their software is doing something a tad aggressive," said Rob Price, a group program manager for Internet security at Microsoft."[With Authenticode], users are making a one-time trust decision, this is a persistent trust decision." Microsoft argued that Explorer provides better security than Netscape Communications' Navigator, which does not currently allow digital signatures on plug-ins. In Explorer, users are warned before downloading code even if the program does not contain a digital signature, though the source of the program is not identified. In contrast to plug-in software and ActiveX controls, Java applets are prevented from damaging a user's computer through built-in restrictions in the Java Virtual Machine. "Java is the model for dynamic executable content on the Net," said Eric Greenberg, group security manager at Netscape.