Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: MS signed softwrare privileges
From: thegnome () NMRC ORG (Simple Nomad)
Date: Thu, 24 Feb 2000 14:15:35 -0600


Let me get this straight -- you had users complain because of some OK
buttons they had to click on, so you made some changes. Juan and Elias
both have comments that are negative to those changes, so you decide to
put the security of the system into end user hands. If I were a sys admin
at a large company and were responsible for protecting users from
themselves, *I* would want to make that decision, not my end users.

Yes I am aware of other products that do this, such as the warning before
you submit a form in Netscape. However I don't think that this makes sense
when it involves downloading of potentially nefarious code. In my opinion
it doesn't fully address either Juan's paranoia (justified or not)
nor Elias' comments.

-         Simple Nomad          -  No rest for the Wicca'd  -
-      thegnome () nmrc org        -        www.nmrc.org       -
-  thegnome () razor bindview com  -     razor.bindview.com    -

On Wed, 23 Feb 2000, Microsoft Product Security Response Team wrote:

Hi All -

We wanted to respond to Juan Cuartango's comments on the purpose of the
handling of Microsoft certificates in the Active Setup control.  While we
love a good conspiracy theory as much as the next person, the reality is
that the certificates are treated as they are in order to improve our
customers' experience while downloading software from Microsoft web sites.
In the past, customers complained about being prompted to "OK" every signed
control after they went to one of our web sites to load or update software.
Because of this, the Active Setup control treats the Microsoft certificates
as "trusted providers".

We understand that a few customers may find this behavior undesirable, and
we are concerned by the scenario that Elias pointed out.  Therefore, we will
be modifying the Active Setup control so that it warns before downloading
unless a customer has specifically requested that he not be warned in the
future.  Regards,

Secure () microsoft com



-----Original Message-----
From: cuartango () TELELINE ES [mailto:cuartango () TELELINE ES]
Sent: Tuesday, February 22, 2000 8:36 AM
To: BUGTRAQ () SECURITYFOCUS COM
Subject: MS signed softwrare privileges


I would like to clarify some aspects from the Elias post
regarding Microsoft signed software.
The fact that anybody could install MS signed software
using Active Setup component in not very important.
The issue is : MS can silently execute any code in our
Windows systems just using their signature.
MS has privileged their code, even if your IE security
setting "Download signed ActiveX" is set to prompt MS
software will be installed without prompting the user.
It seems that MS has left a back door that will allow them
to perform any action in the Windows systems just visiting
a WEB page or opening an e-mail message.
I have prepared a demo in :
http://www.angelfire.com/ab/juan123/iengine.html

This demo shows the diferent behaviour of IE when the
ActiveX is signed by MS or signed by others.

This issue opens a big security and privacy hole, MS can
take complete control over our systems using this backdoor.

In this backdoor acceptable ?
In my opinion It is not, I have worked 18 years for
diferent OS software manufacturers and I have never
installed one line of code without a previous user approval.



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]