Welcome to MSDN Blogs Sign in | Join | Help

Tony Schreiner's WebLog

Developer - IE | Vista. Fighting complexity for 9 years and counting.

Syndication

IE in XP SP2 (Part 1): Authenticode - No, and never again!

As you probably know by now, XP SP2 RC1 is publicly available at http://www.microsoft.com/technet/prodtechnol/winxppro/sp2preview.mspx. Over the next week or so I'll give an overview of a few of the security features the browser UI team has been working on.

The first I'll mention is the revamped Authenticode dialog:

Besides the overall cleanup (the old dialog was difficult for many people to understand), the most noticeable enhancement is the addition of the "Never install software from..." radio button which lets you (finally!) blacklist publishers you don't like. After you've blacklisted a publisher you'll never again be prompted to install an ActiveX control signed with that publisher's certificate. Instead, a harmless icon will show in the status bar to indicate that a control has been blocked.

If you click the status bar icon you'll be brought to the Manage Add-ons dialog, another new security feature in IE which gives you control over all types of browser add-ons including ActiveX controls, Browser Helper Objects, and Toolbars. From here you can de-blacklist the publisher of a control that has been recently blocked, but the main purpose is to let you enable and disable add-ons that may be spyware/malware or causing crashes or other undesirable behavior. You can also get to this dialog from the "Tools/Manage Add-ons..." menu.

There are quite a few security tweaks to Authenticode in addition to what I've mentioned above. One that you may eventually get blocked by is the change to block the installation of invalidly signed ActiveX controls. A control usually gets into this state as the result of file corruption or tampering, and as such they are no more trustworthy than unsigned controls which have always been blocked in the Internet and Intranet zones. Although invalidly signed controls are uncommon, they're not as rare as they should be because the old Authenticode dialog just gave a text warning and still allowed you to install the control. For this reason we've added a setting that allows you to bypass the new block -- primarily for corporate intranet scenarios where mission-critical apps may have been deployed with invalidly signed controls (we had a few of these ourselves) -- but I'm not going to tell you where it is because you shouldn't turn it on.  :-)

Published Sunday, March 21, 2004 2:29 AM by tonyschr

Filed under:

Comments

# re: IE in XP SP2 (Part 1): Authenticode - No, and never again! @ Sunday, March 21, 2004 3:11 AM

I see some of the add-on just have CLSIDs for names. How do we find out what they are, where they came from, and if they are potentially harmful?
Also the name that does appear is under the control of the publisher I assume so we are bound to see more things like "Really Whizzy Cool Toolbar Button" than "Cover You With Advertising Tracker" which doesn't help with the confusion of who is good and who is bad. Not that I think there is much you can do about it.

Edward

# re: IE in XP SP2 (Part 1): Authenticode - No, and never again! @ Sunday, March 21, 2004 9:42 AM

Finally, I can block Gator for life!

dr.u

# re: IE in XP SP2 (Part 1): Authenticode - No, and never again! @ Sunday, March 21, 2004 11:37 AM

> Not that I think there is much you can do about it.

You could probably write a KB article about how I can find the actual DLL that implements an add-on, and link to this article from the help topic that comes up when I click on "Learn more about add-ons". Or may be add a "File name" column to the list view.

Hmm... I just right-clicked on the list view header and there's a CLSID column that's initially hidden. That's nice but the actual binary name would have been even better.

It looks like at least some of the add-ons with broken display names are made by Microsoft. Do you already have bugs for these?

Pavel Lebedinsky

# re: IE in XP SP2 (Part 1): Authenticode - No, and never again! @ Sunday, March 21, 2004 11:45 AM

My other issue is with the Update ActiveX button. I'm scared to click on it because it's not clear what will happen. Will it always ask for confirmation? Will it tell me what *exactly* it is trying to install?

It looks like it's doing the right thing, but you should probably describe it in more detail in the help.

Also, can you change the button label to read "Update ActiveX..." to make it clear that it will ask for confirmation?

Pavel Lebedinsky

# re: IE in XP SP2 (Part 1): Authenticode - No, and never again! @ Sunday, March 21, 2004 12:30 PM

I'll look into the CLSID issue. I believe we show this only when there is absolutely no other information available.

Ultimately, we'll look at the information in the digital signature first, fall back on the version info (with a note) if we have to, then the filename, and finally the CLSID as a last resort.

And yeah, even with an Authenticode signature it's possible for a spyware/malware provider to name their control "Whizzy Cool Toolbar Button", making it impossible to discern the good from the bad at a glance. Think of Manage Add-ons as a good first step for giving you control that you didn't have before.

Tony Schreiner

# re: IE in XP SP2 (Part 1): Authenticode - No, and never again! @ Sunday, March 21, 2004 12:32 PM

Pavel, I'll see what we can do about the "Update ActiveX" button.

Tony Schreiner

# IE in XP SP2 (Part 2): Information Bar - Stopping the modal dialog madness @ Sunday, March 21, 2004 4:43 PM

Tony Schreiner's WebLog

# re: IE in XP SP2 (Part 1): Authenticode - No, and never again! @ Sunday, March 21, 2004 4:50 PM

That new authenticode dialog is so well designed and *SUCH* and improvement on the old one.

I wouldn't like to even take a guess as to how many computers have been compromised and generally mucked up by users not understanding the previous dialog and trying to make it go away by clicking yes.

It's going to seriously annoy companies who have put entire disclaimers in the software name though, I wonder what the legal aspects of that are? Some controls put an entire license in their name, which now simply isn't displayed. Could anyone blame MS for not showing all of the text?

Also, whilst on the subject of XP SP2, if you download a signed EXE to the desktop and run it, it gives you a security dialog. But if you do the same with an unsigned EXE, it runs it without a prompt - is this a bug?

Tom Gilder

# re: IE in XP SP2 (Part 1): Authenticode - No, and never again! @ Sunday, March 21, 2004 7:06 PM

Er, actually, ignore that - now seems to be working again.

But if you save an EXE locally and then click open on the completed download dialog, it never shows any of the security warnings, now that surely is a bug? :)

Tom Gilder

# re: IE in XP SP2 (Part 1): Authenticode - No, and never again! @ Sunday, March 21, 2004 8:08 PM

Tom, thanks for the comments. I don't want to speculate on the legal issues of truncating the name, except to say that overloading the application name string to include a mini-EULA is dubious to begin with, and probably isn't proper notice.

Let me cover the other part in a separate post.

Tony Schreiner

# Security prompt on downloaded files in XP SP2 @ Sunday, March 21, 2004 11:50 PM

Tony Schreiner's WebLog

# re: IE in XP SP2 (Part 1): Authenticode - No, and never again! @ Sunday, March 21, 2004 10:54 PM

> we'll look at the information in the digital signature first, fall back on the version info (with a note) if we have to, then the filename, and finally the CLSID as a last resort.

Can you make it so that filename is always displayed (or at least make it a column that is hidden by default but can be displayed by right-clicking the list view header)?

Somethimes filename is the easiest way to tell where the add-on came from.

Pavel Lebedinsky

# RE: IE in XP SP2 (Part 1): Authenticode - No, and never again! @ Monday, March 22, 2004 8:28 AM

Nice. This feature got a rabid applause at the Atlanta DevDays 2004 last week. Good work.

mearls@hotmail.com (Michael Earls)

# IE/XP sp2 changes @ Monday, March 22, 2004 5:07 PM

IE/XP sp2 changes: Windows XP is in final testing changes for a significant new updater, and "jeffdav" or Microsoft details how Internet Explorer will change. New window propagation sounds similar to previous implementations: a new window can be opened only...

JD on MX

# re: IE in XP SP2 (Part 1): Authenticode - No, and never again! @ Monday, March 22, 2004 9:40 PM

Pavel, we're considering adding the optional filename column as you described.

Tony Schreiner

# re: IE in XP SP2 (Part 1): Authenticode - No, and never again! @ Wednesday, March 24, 2004 5:34 AM

Hi All..

Does Xp SP2 force .NEt 1.1 install ?

It would be nice if it did..

Then a software requirement would be..

XP SP2 or 2003 etc...

Not.. IE6+MDac+.NEt++++++++

Anyone know if XP SP2 has .NET inbuilt ?

# Windows XP - major security enhancements and more! @ Wednesday, March 24, 2004 5:14 PM

Microsoft has made the Windows XP SP2 "preview" available for downloading, this is a look at what will be happening...

Core/Dump: opinion, babes and bondage...

# re: IE in XP SP2 (Part 1): Authenticode - No, and never again! @ Wednesday, March 24, 2004 6:10 PM

"Anyone", I don't think XP SP2 will force .NET 1.1 install.

Tony Schreiner

# IE in XP SP2 (Part 3): Web Site Compatibility @ Tuesday, March 30, 2004 3:24 AM

Tony Schreiner's WebLog

# re: IE in XP SP2 (Part 1): Authenticode - No, and never again! @ Tuesday, March 30, 2004 7:48 PM

Tony,

Will we have IE 6 SP2 including all of these new features? Thanks.

Jacky

# re: IE in XP SP2 (Part 1): Authenticode - No, and never again! @ Monday, April 05, 2004 7:23 PM

Jacky, I can't yet speak for if/when downlevel releases will have these features. If they do, it would probably be a while after SP2 ships.

Tony Schreiner

# XP SP2 RC1 issues @ Friday, May 07, 2004 6:40 PM

XP SP2 RC1 issues

Stefan Demetz

# Security prompt on downloaded files in XP SP2 @ Tuesday, June 29, 2004 3:47 PM

Tony Schreiner's WebLog

# IE in XP SP2 (Part 2): Information Bar - Stopping the modal dialog madness @ Tuesday, June 29, 2004 3:47 PM

Tony Schreiner's WebLog

# XP SP2 RC1 issues @ Monday, September 12, 2005 7:10 PM

After playing with XP SP2 RC1 for a while I still have a few things which bother me.I had a look at group...

Digging .NET

New Comments to this post are disabled
Page view tracker