[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Another security problem reported in Microsoft's Internet Explor



(This is posted to both www-security and cypherpunks. Please be
careful where you send responses).

See:
http://www.news.com/News/Item/0,4,3707,00.html 
at C|net's news site for the whole story. 

Short version:

InfoSpace has released a program as an IE plugin, which,
once the user has agreed to install it, registers InfoSpace
as a 'trusted publisher' in Explorer. This apparently means that 
later requests to download Infospace programs would not 
trigger the dialog boxes requesting permission to download.

InfoSpace describes this as a bug, and is releasing a corrected
version. 

Commentary:

I hope that all IE plugin (ActiveX, script, whatever) publishers are
as responsive.

Ideally, I suppose, a downloaded executable component should
not be able to silently manipulate the security policies of the system it
arrives on, but it's hard to see how to prevent this in Microsoft's active
content model.

The Java model is more robustly protected against this problem,
but as a result is not as capable.

The scary thing is that a clever author of Trojan horses could write an
ActiveX control which does nothing but open the gates, and let other
programs in without the Authenticode check. It could even let in 
another version of itself, which is also properly signed, but has no
malicous code. Thus, it could cover it's tracks.

Peter Trei
[email protected] 
Disclaimer:  I do not represent my employer.