MS signed software seems to have very special privileges with regard
to software signed by other publishers.
This demo is intended to demonstrate that MS signed code has the power of override IE security settings .
I have only tested IE 5.01 , IE 4.01 and IE 5 with all the security fixes . Note that the back door I am describing can also be used by HTML e-mail messages.
The affected component is the Install Engine Control (Active Setup), this ActiveX component is not well documented the only documentation I know is here.
Before run the demos below make sure that your security setting "Download signed ActiveX" controls is set to "prompt" which is the default value for this option. You must also make sure that you do not have a permanent trust to MS signed software.Permanent trusts are stored in the registry branch :
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Trust Database
Because I am a poor man I can't spend 400$ to buy a Software Developer ID certificate for Authenticode (This link will also provide you a lot of info about code signing technologies). If you want to look at the demo you must first download and install a home made certificate by clicking in the line below.
Install a Home Made Root CA Certificate.
Select "Open in this file from its current location" and then OK, in the subsequent window click "Install Certificate" and then Next, Next and Finish .
After the certificate has been installed push the button below to execute the demo. The demo will show you how signed software will prompt the user before execution .
Do not forget to remove the certificate, select your IE Internet Options screen select the content tab click certificates select the tab Trusted Root Certification Authorities click on the line "Certificados JC" and then push the Remove button.
Now we'll see what happen when the software has been signed by MS. I have prepared a dummy demo that will install nothing. But the important thing is that the installer program will start without prompt the user (I could install any of the IE 5 components on your system but I prefer to leave your system as it is).
It seems that MS signed code has a very "special treatment" . I would conclude that MS has a back door to install and execute software without the user approval.
Disable the "Download signed ActiveX" security
option" . But this solution will also forbid other software manufacturers
to offer you their software in the clear way, that is : asking before install.
Why is MS signature so special ?
Created by Juan Carlos G. Cuartango
Visitors since 02-07-2000