(This is posted to both www-security and cypherpunks. Please be careful where you send responses). See: http://www.news.com/News/Item/0,4,3707,00.html at C|net's news site for the whole story. Short version: InfoSpace has released a program as an IE plugin, which, once the user has agreed to install it, registers InfoSpace as a 'trusted publisher' in Explorer. This apparently means that later requests to download Infospace programs would not trigger the dialog boxes requesting permission to download. InfoSpace describes this as a bug, and is releasing a corrected version. Commentary: I hope that all IE plugin (ActiveX, script, whatever) publishers are as responsive. Ideally, I suppose, a downloaded executable component should not be able to silently manipulate the security policies of the system it arrives on, but it's hard to see how to prevent this in Microsoft's active content model. The Java model is more robustly protected against this problem, but as a result is not as capable. The scary thing is that a clever author of Trojan horses could write an ActiveX control which does nothing but open the gates, and let other programs in without the Authenticode check. It could even let in another version of itself, which is also properly signed, but has no malicous code. Thus, it could cover it's tracks. Peter Trei trei@process.com Disclaimer: I do not represent my employer.