March 17, 1997 10:00 AM ET
Bug-bitten browser
Microsoft considers revamping its Authenticode security in the wake of Internet Explorer 3.0 security breaches
By Norvin Leach and Michael Moeller

  This month's swarm of Internet Explorer bugs has pushed Microsoft Corp. into double-checking its browser products, while considering giving users more security setup options.

The Redmond, Wash., company is considering changing its Authenticode security scheme to let administrators select which ActiveX controls can be downloaded, rather than taking the current all-or-nothing approach.

Although no customers were affected by the security breaches in Internet Explorer 3.0, their existence forced Microsoft to delay the release of the Internet Explorer 4.0 browser platform preview for two weeks to add the patches and review the code. The first public beta edition will now be released at the end of this month (see our review of a prerelease version of IE 4.0).

Microsoft also has formed an alliance with the Computer Emergency Response Team to speed up notification of security problems. It also added an E-mail alias for reporting security problems (security@microsoft.com) and a Web page (www.microsoft.com/security).

For IT managers, security threats will always be a part of the Internet. The key is finding the problems and deploying fixes quickly.

"I expect that the bugs will continue both for Netscape [Communications Corp.] and Microsoft," said Rowan Snyder, chief technology officer and a partner at Coopers & Lybrand, in New York. "What concerns me is that I have the ability to deploy fixes to thousands of desktops in an hour."

The three bugs discovered this month exploited loopholes in IE 3.0 by allowing the browser to automatically execute files via shortcuts and other mechanisms. These bugs were intrinsic to IE, but other problems could arise with a more fundamental Microsoft technology-ActiveX-as Microsoft builds the browser into Windows.

Unlike Java applets, ActiveX components can access system functions. Microsoft officials have said this is necessary if a company wants to build a robust component-based system. Microsoft's response has been to recommend Authenticode-signed certificates that guarantee where a component was written.

However, with the potential for security breaches, some corporations have opted to block ActiveX controls altogether, which prevents companies from using even internally developed components.

Lock down

Microsoft expands Authenticode to include such features as:

  • Customized access control levels of ActiveX controls
  • User-control over types of ActiveX controls allowed to be downloaded
  • Power to revoke digital certficates from developers of malicious ActiveX controls

If Microsoft upgrades Authenticode and the corresponding browser filters, corporate users could take advantage of internally developed controls but block ActiveX controls from being downloaded off the Internet.

Behind these issues is the basic insecurity of Windows 95, which allows access to functions that can be locked down in its more secure cousin, Windows NT Workstation.

Microsoft is examining the feasibility of tightening the system security in Windows 95. However, the operating system's architecture makes it difficult to add robust security, and Microsoft has discarded such ideas in the past as impractical.

Copyright(c) 1997 Ziff-Davis Publishing Company. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Ziff-Davis Publishing Company is prohibited. PC Week and the PC Week logo are trademarks of Ziff-Davis Publishing Company. PC Week Online and the PC Week Online logo are trademarks of Ziff-Davis Publishing Company.

Send mail to PC Week