Security flaw in Microsft Explorer

[Gary Howland <gary@systemics.com>]

                     Program compromises IE security 
                     By Nick Wingfield
                     September 23, 1996, 10:45 a.m. PT 

                                A start-up Internet company has posted a
                     program on the Net that could allow Web sites to bypass
                     the security controls in Internet Explorer, CNET has
                     learned. 

                     The company, InfoSpace, created a program aimed at Net
                     search engines such as Lycos and Excite that want to
                     become the default search engine in Microsoft's Internet
                     Explorer 3.0. But the program, which is actually featured on
                     the Lycos Web site, manages to circumvent Explorer's
                     security warning window--an action that could let
                     InfoSpace sneak programs onto a user's personal computer
                     without warning. 

                     Although the InfoSpace program apparently was not created
                     with malicious intent, it underscores the fragility of Internet
                     Explorer's security defenses, as well as broader security
                     issues related to downloading software over the Internet. 

                     The InfoSpace program sidesteps a security feature in
                     Internet Explorer, called Authenticode, which is designed to
                     allow users to verify the origins of a piece of software code,
                     such as an ActiveX control, a script, or a plug-in. The
                     Authenticode system requires a user to entrust the
                     developer of a program, whether it's InfoSpace, Lotus
                     Development, or IBM, not to install viruses or other
                     destructive programs on the user's system. 

                     Although Authenticode does not prevent software
                     developers from creating such programs, they can be held
                     legally accountable for bad code. That's because the
                     programs contain "digital signatures," a sort of ID card that
                     allows perpetrators to be tracked down by law enforcement
                     agencies. Microsoft works with VeriSign to provide digital
                     signatures for programs. 

                     Last month, VeriSign took matters into its own hands by
                     asking a developer, Fred McLain, to remove an ActiveX
                     control called Exploder from his Web site. The Exploder
                     control was designed to crash a user's computer after
                     downloading. 

                     "Code signing is not a guarantee of code quality," Charles
                     Fitzgerald, a product manager at Microsoft said. "It's an
                     accountability trail." 

                     As with all digitally signed programs, users are offered the
                     option to accept or to reject the InfoSpace program before
                     installing it on their systems. Users are also offered the
                     option to bypass the Authenticode warning window for all
                     InfoSpace programs in the future. 

                     But the company's program registers InfoSpace as a
                     "trusted publisher" in Explorer, effectively opening the
                     browser to intrusions. The operation is akin to inviting a
                     guest over to your house for dinner and having them copy
                     the key to your front door without permission. 

                     InfoSpace executives denied that there was any malice
                     intended in its program, adding that it has provided Lycos
                     with an updated version of the code. Lycos plans to post the
                     new program later this evening, according to InfoSpace.

                     "It was a bug that got incorporated into the production
                     code," InfoSpace CEO Naveen Jain said. 

                     Lycos CEO Bob Davis said he was not aware of the bug in
                     the InfoSpace program and could not comment on it. The
                     program is identified as Lycos Quick Search on the search
                     engine's site. 

                     However, Microsoft officials expressed concern, saying it is
                     hard to defend against once a user has consented to
                     download code from the Net. 

                     "Clearly their software is doing something a tad
                     aggressive," said Rob Price, a group program manager for
                     Internet security at Microsoft."[With Authenticode], users
                     are making a one-time trust decision, this is a persistent
                     trust decision." 

                     Microsoft argued that Explorer provides better security than
                     Netscape Communications' Navigator, which does not
                     currently allow digital signatures on plug-ins. In Explorer,
                     users are warned before downloading code even if the
                     program does not contain a digital signature, though the
                     source of the program is not identified. 

                     In contrast to plug-in software and ActiveX controls, Java
                     applets are prevented from damaging a user's computer
                     through built-in restrictions in the Java Virtual Machine. 

                     "Java is the model for dynamic executable content on the
                     Net," said Eric Greenberg, group security manager at
                     Netscape.