PRB: Signature Not Recognized for Self Extracting Executables

 Last reviewed: September 29, 1997
Article ID: Q167714
The information in this article applies to:
  • Microsoft Internet Explorer (Programming), version 3.02, 4.0

SYMPTOMS

When downloading a signed self-extracting executable that worked fine in Internet Explorer 3.01, the following message is displayed: 

   A Windows application is attempting to open or install the following
   software component:

   SomeFile.exe

   Please be aware that some files may contain viruses or otherwise harm
   your computer.  This component has not been digitally "signed" by it's
   publisher.  Do you wish to continue?
This self-extracting executable was packaged using a product from a third- party vendor such as InstallShield's PackageForTheWeb or Nico Mak's WinZip.

CAUSE

This message may be displayed when downloading a properly signed self- extracting executable file in Internet Explorer version 3.02. This is a result of a security fix made to Internet Explorer 3.02.

RESOLUTION

If your code is not affected by this fix, you need not take any action.

If you currently sign self-extracting executables packaged with products from InstallShield or Nico Mak Computing, you will need to do the following.

  1. Download an updated version of their products, available today, from their Web sites. Please see http://www.installshield.com/pftw and http://www.winzip.com/wzse.htm, respectively, for more information about InstallShield and Nico Mak’s updated products.

  2. Repackage your self-extracting executable using these updated products.

  3. Re-sign your self-extracting executable using your current certificate and the current code signing tools, which are available in the ActiveX SDK at http://www.microsoft.com/sbnmember/download/download.asp

If you currently package your executable using another vendor’s product, please notify us through safecode@microsoft.com.

STATUS

This behavior is by design.

MORE INFORMATION

What code is affected?

This fix applies only to signed self-extracting executables created with tools from vendors such as InstallShield (PackageForTheWeb) and Nico Mak Computing (WinZip). Microsoft has worked with these vendors to make updated versions of their tools available.

What code is not affected?

No other types of signed code are affected. Self-extracting executables created with the Wise Installation System from GLBS are unaffected by this fix.

More details

The intent of this fix is to keep Internet Explorer and Microsoft Authenticode(TM) Technology a highly secure platform for executing downloaded code. When verifying the digital signature for signed self- extracting executables, previous versions of Internet Explorer did not take into consideration data that was referred to in the executables created by some vendors.

To address this potential problem, Internet Explorer 3.02 will not recognize the digital signature in the signed self-extracting executables described above, regardless of the browser's Safety Level. When a user downloads these signed self-extracting executables, Internet Explorer 3.02 will now bring up the "Potential Safety Warning" dialog box and treat the signed self-extractable executable as unsigned code. 

Keywords          : AXSDKCompDownload kb3rdparty kberrmsg kbinterop
Version           : Win:3.02,4.0
Platform          : WINDOWS
Issue type        : kbprb

================================================================================

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.

Last reviewed: September 29, 1997
© 1998 Microsoft Corporation. All rights reserved. Terms of Use.