Microsoft's recent arrogant and irresponsible reply to the Chaos Computer Club hack on ActiveX requires response. An effective response would be to steal the key of a major code signer and produce a signed, malicious ActiveX control. Such an attack would demonstrate the serious problems of Microsoft's security philosophy.

...

The best avenue of attack is stealing the secret key of a respected code signer. The target should be one of the major players, if not Microsoft itself. Someone is sloppy to store their secret key on a

It really should be Microsoft, for good exposure.

getting signatures right is well understood. Still, does anyone have information on exactly how the signatures work?

http://www.microsoft.com/kb/articles/q159/8/93.htm

Stealing the key itself will almost certainly be an illegal act. Morally, the demonstration signed control should itself not do damage. Something like the Exploder control (which warns the user before shutting down the machine) should be good enough to show the flaws of ActiveX without causing trouble.

The most interesting abuse the ActiveX thet I've heard of was a company that released an ActiveX control that modified the security manager used to verify and pass ActiveX controls, essentially registerring their company as a trusted provider. Thus once this one control was accepted, all other controls signed by that company were automatically accepted by the browser. The company quickly retracted the control and claimed that the authentication abuse was a feature put in while the control was in beta-cycle and accidently left in when it was finally released. Oops! (This was reported on the www-security mailing list, but I have lost the ref) Perhaps an interesting "nudie screensaver" control could be made to mail any Root.cer Cert.cer and Cert.spc (I guess) files lying around on the target computer to a well known mailing-list... One wonders whether it would even be illegal. *sigh* I suppose it would be. -- JJL