Microsoft Responds to an Unsigned, Malicious Control

February 1997

On January 28, 1997 the Chaos Computer Club in Hamburg, Germany announced that they had created a control that could modify a user's Quicken transaction file. To our knowledge, this control was not signed using Authenticode™ technology, and no certificate authority has issued them a software publisher certificate.

It is important to keep the following about downloading executable code in mind:

Internet Explorer users are safe by default. The control was not signed; and by default, Microsoft Internet Explorer 3.0 will not execute unsigned code.
The underlying problem is the fact that malicious developers can create malicious executable code. Executable code can be created for great benefit, or for harm—just as a hammer can be used to build useful and beautiful buildings, or to knock down walls and destroy. The effect depends on who's using the tool, and how it's being used.
The problem exists for all downloaded executable code. This is not an issue specific to ActiveX™. For example, application macros, Java™ applets and applications (particularly ones outside a sandbox), Navigator plug-ins, Macintosh® applications, and ActiveX controls can be created to do great things as well as malicious things, depending on the intent of the developer.
Microsoft is serious about protecting users while providing them with the richest computing experience possible. Therefore, Microsoft has taken the lead in giving users the tools to determine who has developed executable code so they can make reasoned and informed decisions about whose code to trust.
- Microsoft Authenticode is the only technology in use today providing accountability and integrity for executable code. Hundreds of developers are using Authenticode to sign their executables, and code-signing architectures have been proposed by both Netscape and Sun.
- Microsoft is announcing the Web Executable Security Advisor Program to provide more information for end-users and developers about the issues surrounding downloaded executable code. For more information, please look at http://www.microsoft.com/security/.
Microsoft will continue to take the lead in the area of Web executable code—including an enhanced Java security model—and provide a flexible model that allows the appropriate mix of functionality and security.

The physical-world analogy of what happened is this: there's a floppy lying in the street, with a note attached that says, "Load me." Although users load shrink-wrapped code purchased from the store all the time, they are wary of loading and running unattributable code. Authenticode enables users to make reasoned and informed decisions, based on who developed the code, about whether they want to run it.