Microsoft Corporation
Updated September 3, 1996
Note On June 17, 1996, Fred McLain posted an Microsoft® ActiveX™ Exploder Control on http://www.halcyon.com/mclain/ActiveX/. When downloaded via the Internet to a PC that has a power conservation BIOS, this control shuts down Microsoft Windows® 95 and turns off the PC. As of August 23, Fred McLain signed this control using his Individual Software Publisher Digital ID from VeriSign and posted it to his public Web site.
One of the key issues facing Web surfers today is understanding the consequences of downloading the latest software from a Web site. Supposedly, this software will enrich their Web viewing experience. However, if users haven't interacted with a Web site before, it's not clear whether they should trust and download the software.
In today's Internet environment, a user could download code that, without warning, reformats the user's PC hard drive or, in the case of the Exploder Control, reboots the PC. Without knowing who published the code, the user wouldn't have a way to contact or pursue recourse against the software publisher. Or, in the event that this code had been tampered with, the user or software publisher wouldn't know that the tampering had occurred. By knowing that the code had been tampered with, the user could avoid downloading a potentially malicious piece of code.
This scenario points to what end users need today on the Internet when they download code. They need to know unequivocally who published the code and whether the code has been tampered with after it has been published by the software provider.
Internet Explorer 3.0 uniquely addresses the industry's need for accountability of software that is downloaded over the Internet. Using Authenticode, a feature of Internet Explorer 3.0, end users can identify the publisher of software components, including Java applets, plug-ins, and ActiveX controls. Authenticode also assures end users that the code hasn't been altered in any way.
Using Authenticode, Internet Explorer addresses the risk of unsigned code for end users. If code is unsigned or tampered with, Internet Explorer by default will not download the code, protecting end users from potentially malicious code.
Despite the open availability of Microsoft's code signing specifications, Netscape does not support Authenticode or any other code signing technology. Netscape Navigator 3.0 and other browsers have failed to address their customer's real security concerns. Navigator 3.0 ensures neither the accountability nor the integrity of Java applets, plug-ins, or other executables. As a result, Navigator end users can't make truly informed decisions as to whether or not to download code from the Internet.
Netscape has not addressed the risks of unsigned code for its end users. When end users download unsigned plug-ins or other unsigned executables, they take a risk that these software components will access their critical PC resources in a potentially malicious way. With Navigator 3.0, downloading unsigned plug-ins is as easy as downloading signed plug-ins, because Navigator doesn't check for signed code.
Microsoft Internet Explorer 3.0 provides a robust implementation of the sandbox technology for Java applets. Sandboxing confines Java applets to a constrained run-time environment and prevents these applets from accessing critical machine resources. Microsoft supports and employs this approach in its Microsoft Visual J++™ development tool, both in the Microsoft reference implementation of Java and in its scripting languages Visual Basic® Scripting Edition (VBScript) and JScript™ (Microsoft's implementation of JavaScript).
It is important to note that, in many cases, the sandbox approach is the right approach for security and that Authenticode is a complementary technology to sandboxing. But in cases where the developer needs to provide a richer, fuller-featured application that goes beyond the safe sandbox, an accountability mechanism is needed—like Authenticode.
Both Netscape and Sun Microsystems have announced their intent to support code signing technology, thus allowing Java applets to step outside of the sandbox. In fact, Sun has already submitted a competing code signing standard to the W3C.
Authenticode, based on Microsoft's widely supported code signing proposal to the W3C, uses industry standard digital signature technology. A software publisher signs its code with its unique digital certificate by attaching a digital signature to its code, ensuring that any tampering of the software can be detected using Authenticode. As a result, when an end user downloads code from the Internet, Authenticode informs the user who published the code and verifies for the user that the code has not been tampered with.
Authenticode doesn't verify that software is free of bugs and malicious intent. However, now that software publishers are accountable for their code, they will increasingly provide code on the Internet that has the same quality and trustworthiness as that software found in the retail channel.
Recent discussion has focused on ActiveX controls and the ease with which users can download ActiveX controls using Internet Explorer 3.0. Given this ease of use, some critics contend that end users may not fully understand the security implications of downloading unsigned controls to their PCs.
By default, Internet Explorer 3.0 will not download unsigned code. The end user or a corporate administrator must explicitly change this default behavior through Internet Explorer's safety settings. Without changing this default setting, unsigned code cannot be downloaded to the user's PC.
Some experienced users have expressed, though, that they want to decide for themselves what code to trust. For these expert users, Internet Explorer offers a "medium" security setting, in which they can download unsigned code after being prompted by Internet Explorer. For users who want to automatically download all code, which is not recommended under any circumstances, Internet Explorer offers a "low" security setting. Using the Internet Explorer Administrator's Kit, corporate administrators can ensure that end users cannot download any unsigned code by fixing the security setting at "high."
When end users encounter the Exploder Control, Authenticode provides them with a URL to obtain additional information about the publisher as well as irrefutable proof of the publisher's identity. Without Authenticode, end users would not have proof of the publisher's identity and would not know who to contact and hold accountable for the control.
Ultimately, it is the end user's decision to download the Exploder Control or not. If the user downloads the control and believes that it behaves "maliciously," Authenticode provides the user assurance of accountability, so the user can notify the software publisher and, in extreme cases, take an appropriate action against the software publisher.
In summary, Authenticode does not guarantee that end users will never download malicious code to their PCs. However, Internet Explorer 3.0 has taken an important first step ahead of Navigator 3.0 to deter malicious software activity on the Internet and to provide users the ensurance of software publisher accountability so that they can feel more secure about downloading software from the Internet.
Microsoft is working hard to continually evolve the end-user experience and the underlying technology, delivered through Authenticode, to ensure that downloading content on the Internet remains a positive and rewarding experience.