IE in XP SP2 (Part 1): Authenticode - No, and never again!

re: IE in XP SP2 (Part 1): Authenticode - No, and never again!

Edward — Sun, 21 Mar 2004 10:11:00 GMT

I see some of the add-on just have CLSIDs for names. How do we find out what they are, where they came from, and if they are potentially harmful?
Also the name that does appear is under the control of the publisher I assume so we are bound to see more things like "Really Whizzy Cool Toolbar Button" than "Cover You With Advertising Tracker" which doesn't help with the confusion of who is good and who is bad. Not that I think there is much you can do about it.

re: IE in XP SP2 (Part 1): Authenticode - No, and never again!

dr.u — Sun, 21 Mar 2004 16:42:00 GMT

Finally, I can block Gator for life!

re: IE in XP SP2 (Part 1): Authenticode - No, and never again!

Pavel Lebedinsky — Sun, 21 Mar 2004 18:37:00 GMT

> Not that I think there is much you can do about it.

You could probably write a KB article about how I can find the actual DLL that implements an add-on, and link to this article from the help topic that comes up when I click on "Learn more about add-ons". Or may be add a "File name" column to the list view.

Hmm... I just right-clicked on the list view header and there's a CLSID column that's initially hidden. That's nice but the actual binary name would have been even better.

It looks like at least some of the add-ons with broken display names are made by Microsoft. Do you already have bugs for these?

re: IE in XP SP2 (Part 1): Authenticode - No, and never again!

Pavel Lebedinsky — Sun, 21 Mar 2004 18:45:00 GMT

My other issue is with the Update ActiveX button. I'm scared to click on it because it's not clear what will happen. Will it always ask for confirmation? Will it tell me what *exactly* it is trying to install?

It looks like it's doing the right thing, but you should probably describe it in more detail in the help.

Also, can you change the button label to read "Update ActiveX..." to make it clear that it will ask for confirmation?

re: IE in XP SP2 (Part 1): Authenticode - No, and never again!

Tony Schreiner — Sun, 21 Mar 2004 19:30:00 GMT

I'll look into the CLSID issue. I believe we show this only when there is absolutely no other information available.

Ultimately, we'll look at the information in the digital signature first, fall back on the version info (with a note) if we have to, then the filename, and finally the CLSID as a last resort.

And yeah, even with an Authenticode signature it's possible for a spyware/malware provider to name their control "Whizzy Cool Toolbar Button", making it impossible to discern the good from the bad at a glance. Think of Manage Add-ons as a good first step for giving you control that you didn't have before.

re: IE in XP SP2 (Part 1): Authenticode - No, and never again!

Tony Schreiner — Sun, 21 Mar 2004 19:32:00 GMT

Pavel, I'll see what we can do about the "Update ActiveX" button.

IE in XP SP2 (Part 2): Information Bar - Stopping the modal dialog madness

Tony Schreiner's WebLog — Sun, 21 Mar 2004 23:43:00 GMT

re: IE in XP SP2 (Part 1): Authenticode - No, and never again!

Tom Gilder — Sun, 21 Mar 2004 23:50:00 GMT

That new authenticode dialog is so well designed and *SUCH* and improvement on the old one.

I wouldn't like to even take a guess as to how many computers have been compromised and generally mucked up by users not understanding the previous dialog and trying to make it go away by clicking yes.

It's going to seriously annoy companies who have put entire disclaimers in the software name though, I wonder what the legal aspects of that are? Some controls put an entire license in their name, which now simply isn't displayed. Could anyone blame MS for not showing all of the text?

Also, whilst on the subject of XP SP2, if you download a signed EXE to the desktop and run it, it gives you a security dialog. But if you do the same with an unsigned EXE, it runs it without a prompt - is this a bug?

re: IE in XP SP2 (Part 1): Authenticode - No, and never again!

Tom Gilder — Mon, 22 Mar 2004 02:06:00 GMT

Er, actually, ignore that - now seems to be working again.

But if you save an EXE locally and then click open on the completed download dialog, it never shows any of the security warnings, now that surely is a bug? :)

re: IE in XP SP2 (Part 1): Authenticode - No, and never again!

Tony Schreiner — Mon, 22 Mar 2004 03:08:00 GMT

Tom, thanks for the comments. I don't want to speculate on the legal issues of truncating the name, except to say that overloading the application name string to include a mini-EULA is dubious to begin with, and probably isn't proper notice.

Let me cover the other part in a separate post.

Security prompt on downloaded files in XP SP2

Tony Schreiner's WebLog — Mon, 22 Mar 2004 06:50:00 GMT

re: IE in XP SP2 (Part 1): Authenticode - No, and never again!

Pavel Lebedinsky — Mon, 22 Mar 2004 05:54:00 GMT

> we'll look at the information in the digital signature first, fall back on the version info (with a note) if we have to, then the filename, and finally the CLSID as a last resort.

Can you make it so that filename is always displayed (or at least make it a column that is hidden by default but can be displayed by right-clicking the list view header)?

Somethimes filename is the easiest way to tell where the add-on came from.

RE: IE in XP SP2 (Part 1): Authenticode - No, and never again!

mearls@hotmail.com (Michael Earls) — Mon, 22 Mar 2004 15:28:00 GMT

Nice. This feature got a rabid applause at the Atlanta DevDays 2004 last week. Good work.

IE/XP sp2 changes

JD on MX — Tue, 23 Mar 2004 00:07:00 GMT

IE/XP sp2 changes: Windows XP is in final testing changes for a significant new updater, and "jeffdav" or Microsoft details how Internet Explorer will change. New window propagation sounds similar to previous implementations: a new window can be opened only...

re: IE in XP SP2 (Part 1): Authenticode - No, and never again!

Tony Schreiner — Tue, 23 Mar 2004 04:40:00 GMT

Pavel, we're considering adding the optional filename column as you described.

re: IE in XP SP2 (Part 1): Authenticode - No, and never again!

Anyone know if XP SP2 has .NET inbuilt ? — Wed, 24 Mar 2004 12:34:00 GMT

Hi All..

Does Xp SP2 force .NEt 1.1 install ?

It would be nice if it did..

Then a software requirement would be..

XP SP2 or 2003 etc...

Not.. IE6+MDac+.NEt++++++++

Windows XP - major security enhancements and more!

Core/Dump: opinion, babes and bondage... — Thu, 25 Mar 2004 00:14:00 GMT

Microsoft has made the Windows XP SP2 "preview" available for downloading, this is a look at what will be happening...

re: IE in XP SP2 (Part 1): Authenticode - No, and never again!

Tony Schreiner — Thu, 25 Mar 2004 01:10:00 GMT

"Anyone", I don't think XP SP2 will force .NET 1.1 install.

IE in XP SP2 (Part 3): Web Site Compatibility

Tony Schreiner's WebLog — Tue, 30 Mar 2004 10:24:00 GMT

re: IE in XP SP2 (Part 1): Authenticode - No, and never again!

Jacky — Wed, 31 Mar 2004 02:48:00 GMT

Tony,

Will we have IE 6 SP2 including all of these new features? Thanks.

re: IE in XP SP2 (Part 1): Authenticode - No, and never again!

Tony Schreiner — Tue, 06 Apr 2004 02:23:00 GMT

Jacky, I can't yet speak for if/when downlevel releases will have these features. If they do, it would probably be a while after SP2 ships.

XP SP2 RC1 issues

Stefan Demetz — Sat, 08 May 2004 01:40:00 GMT

XP SP2 RC1 issues

Security prompt on downloaded files in XP SP2

Tony Schreiner's WebLog — Tue, 29 Jun 2004 22:47:00 GMT

IE in XP SP2 (Part 2): Information Bar - Stopping the modal dialog madness

Tony Schreiner's WebLog — Tue, 29 Jun 2004 22:47:00 GMT

XP SP2 RC1 issues

Digging .NET — Tue, 13 Sep 2005 02:10:07 GMT

After playing with XP SP2 RC1 for a while I still have a few things which bother me.I had a look at group...