Last updated: February 20, 1997
The Web provides both a rich experience and a new way to easily get useful information and programs, but it also raises the risk of unknowingly downloading infected or malicious software. Executables, once installed on users' computers, could potentially tamper with users' files. As part of the Microsoft® Web Executable Security Advisor Program, we'll explore how users can minimize the risks of downloading software executables from the Internet to their computers.
Unlike software in retail stores, software on the Internet is not labeled or "shrink-wrapped." As a result, users don't know for sure who published a piece of software, what the software will do on their computers, or whether the code has been tampered with.
Despite these concerns, users want a rich computing experience with the software they download from the Internet. Developers can write these useful and full-featured applications with ActiveX™ controls and Navigator plug-ins today. Java™ applications can provide users with full and rich functionality, such as saving data to the hard drive, only by leaving the "sandbox," because the sandbox restricts the range of system services available to Java applets. However, running an applet outside of the sandbox increases the risk that users will encounter malicious code.
Malicious code is an industry-wide problem, and this problem applies to all types of code: application macros, Java applets, ActiveX controls, and Navigator plug-ins. Code signing technology reduces the risk of users running malicious code, by identifying who published signed code and verifying that the code hasn't been tampered with.
Through Microsoft's implementation of code signing -- Authenticode™ technology -- applets can access services outside the sandbox today while providing users with accountability and integrity measures. Other firms such as Sun and Netscape have announced that they will provide code signing to enable applets to step outside the sandbox. Microsoft will also be providing an enhanced Java security model in Internet Explorer 4.0, giving users and developers flexible levels of functionality and security.
Accountability and integrity are critical safeguards for users, regardless of the type of code. Microsoft is providing Authenticode technology through Internet Explorer 3.0 today to help users decide whether to download and install executables from the Internet.
See the links on the left to read about: Authenticode technology, Brad Silverberg's letter to Internet users, various malicious controls, and where to go for more information. Developers can also read about signing their code using Authenticode.
© 1997 Microsoft Corporation. All rights reserved. Legal Notices.