cuartangoat_private said once upon a time (Tue, 22 Feb 2000): > I would like to clarify some aspects from the Elias post regarding > Microsoft signed software. The fact that anybody could install MS > signed software using Active Setup component in not very important. > The issue is : MS can silently execute any code in our Windows systems > just using their signature. MS has privileged their code, even if your > IE security setting "Download signed ActiveX" is set to prompt MS > software will be installed without prompting the user. It seems that > MS has left a back door that will allow them to perform any action in > the Windows systems just visiting a WEB page or opening an e-mail > message. I have prepared a demo in : > http://www.angelfire.com/ab/juan123/iengine.html > > This demo shows the diferent behaviour of IE when the ActiveX is > signed by MS or signed by others. > > This issue opens a big security and privacy hole, MS can take complete > control over our systems using this backdoor. > > In this backdoor acceptable ? In my opinion It is not, I have worked > 18 years for diferent OS software manufacturers and I have never > installed one line of code without a previous user approval. You definitely have a point. However (playing devil's advocate), you've trusted Microsoft to silently execute "any code" on your machine at least once before by installing their closed-source operating system, and that is a massive amount of unaudited code. Dax Kelson Guru Labs
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:36:42 PDT