Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: MS signed softwrare privileges
From: Dax () GURULABS COM (Dax Kelson)
Date: Tue, 22 Feb 2000 19:54:47 -0700


cuartango () TELELINE ES said once upon a time (Tue, 22 Feb 2000):

I would like to clarify some aspects from the Elias post regarding
Microsoft signed software. The fact that anybody could install MS
signed software using Active Setup component in not very important.
The issue is : MS can silently execute any code in our Windows systems
just using their signature. MS has privileged their code, even if your
IE security setting "Download signed ActiveX" is set to prompt MS
software will be installed without prompting the user. It seems that
MS has left a back door that will allow them to perform any action in
the Windows systems just visiting a WEB page or opening an e-mail
message. I have prepared a demo in :
http://www.angelfire.com/ab/juan123/iengine.html

This demo shows the diferent behaviour of IE when the ActiveX is
signed by MS or signed by others.

This issue opens a big security and privacy hole, MS can take complete
control over our systems using this backdoor.

In this backdoor acceptable ? In my opinion It is not, I have worked
18 years for diferent OS software manufacturers and I have never
installed one line of code without a previous user approval.

You definitely have a point.

However (playing devil's advocate), you've trusted Microsoft to silently
execute "any code" on your machine at least once before by installing
their closed-source operating system, and that is a massive amount of
unaudited code.

Dax Kelson
Guru Labs


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]