Don’t trust Microsoft—no, really

Well, the inevitable has happened: some hackers have managed to get hold of a valid Microsoft security certificate. This will let them sign their virus or trojan horse programs, and Windows will believe that the code was written by Microsoft and run it without warning. The signed malicious code could be sent by e-mail or embedded in any web page as an ActiveX control.

The article suggests that users just need to check the signature date and refuse to run the ActiveX control if it’s the wrong date—but that’s not true. The default options in Windows are to trust all Microsoft-signed code unconditionally, so the 99% of users out there who haven’t messed with their security settings in depth will never even see a dialog. This blows a massive hole through the security of almost all Windows systems. Anti-virus software won’t help either. The only form of protection is to turn off ActiveX, and don’t use e-mail software that runs ActiveX components sent in HTML e-mail.

Hopefully this will once and for all end the war of words between the Java approach to security (which works) and the COM/ActiveX approach (which doesn’t).