Re: MS signed softwrare privileges

[Dax () GURULABS COM (Dax Kelson)]

cuartango () TELELINE ES said once upon a time (Tue, 22 Feb 2000):

> I would like to clarify some aspects from the Elias post regarding
> Microsoft signed software. The fact that anybody could install MS
> signed software using Active Setup component in not very important.
> The issue is : MS can silently execute any code in our Windows systems
> just using their signature. MS has privileged their code, even if your
> IE security setting "Download signed ActiveX" is set to prompt MS
> software will be installed without prompting the user. It seems that
> MS has left a back door that will allow them to perform any action in
> the Windows systems just visiting a WEB page or opening an e-mail
> message. I have prepared a demo in :
> http://www.angelfire.com/ab/juan123/iengine.html
>
> This demo shows the diferent behaviour of IE when the ActiveX is
> signed by MS or signed by others.
>
> This issue opens a big security and privacy hole, MS can take complete
> control over our systems using this backdoor.
>
> In this backdoor acceptable ? In my opinion It is not, I have worked
> 18 years for diferent OS software manufacturers and I have never
> installed one line of code without a previous user approval.

You definitely have a point.

However (playing devil's advocate), you've trusted Microsoft to silently
execute "any code" on your machine at least once before by installing
their closed-source operating system, and that is a massive amount of
unaudited code.

Dax Kelson
Guru Labs