Want CNET to notify you of price drops and the latest stories?

Program compromises IE security

A start-up Internet company has posted a program on the Net that could allow Web sites to bypass the security controls in Internet Explorer.

A start-up Internet company has posted a program on the Net that could allow Web sites to bypass the security controls in Internet Explorer, CNET has learned.

The company, InfoSpace, created a program aimed at Net search engines such as Lycos and Excite that want to become the default search engine in "="" rel="nofollow" class="c-regularLink" target="_blank">Microsoft's Internet Explorer 3.0. But the program, which is actually featured on the Lycos Web site, manages to circumvent Explorer's security warning window--an action that could let InfoSpace sneak programs onto a user's personal computer without warning.

Although the InfoSpace program apparently was not created with malicious intent, it underscores the fragility of Internet Explorer's security defenses, as well as broader security issues related to downloading software over the Internet.

The InfoSpace program sidesteps a security feature in Internet Explorer, called Authenticode, which is designed to allow users to verify the origins of a piece of software code, such as an ActiveX control, a script, or a plug-in. The Authenticode system requires a user to entrust the developer of a program, whether it's InfoSpace, Lotus Development, or IBM, not to install viruses or other destructive programs on the user's system.

Although Authenticode does not prevent software developers from creating such programs, they can be held legally accountable for bad code. That's because the programs contain "digital signatures," a sort of ID card that allows perpetrators to be tracked down by law enforcement agencies. Microsoft works with VeriSign to provide digital signatures for programs.

Last month, VeriSign took matters into its own hands by asking a developer, Fred McLain, to remove an ActiveX control called Exploder from his Web site. The Exploder control was designed to crash a user's computer after downloading.

"Code signing is not a guarantee of code quality," Charles Fitzgerald, a product manager at Microsoft said. "It's an accountability trail."

As with all digitally signed programs, users are offered the option to accept or to reject the InfoSpace program before installing it on their systems. Users are also offered the option to bypass the Authenticode warning window for all InfoSpace programs in the future.

But the company's program registers InfoSpace as a "trusted publisher" in Explorer, effectively opening the browser to intrusions. The operation is akin to inviting a guest over to your house for dinner and having them copy the key to your front door without permission.

InfoSpace executives denied that there was any malice intended in its program, adding that it has provided Lycos with an updated version of the code. Lycos plans to post the new program later this evening, according to InfoSpace.

"It was a bug that got incorporated into the production code," InfoSpace CEO Naveen Jain said.

Lycos CEO Bob Davis said he was not aware of the bug in the InfoSpace program and could not comment on it. The program is identified as Lycos Quick Search on the search engine's site.

However, Microsoft officials expressed concern, saying it is hard to defend against once a user has consented to download code from the Net.

"Clearly their software is doing something a tad aggressive," said Rob Price, a group program manager for Internet security at Microsoft."[With Authenticode], users are making a one-time trust decision, this is a persistent trust decision."

Microsoft argued that Explorer provides better security than Netscape Communications' Navigator, which does not currently allow digital signatures on plug-ins. In Explorer, users are warned before downloading code even if the program does not contain a digital signature, though the source of the program is not identified.

In contrast to plug-in software and ActiveX controls, Java applets are prevented from damaging a user's computer through built-in restrictions in the Java Virtual Machine.

"Java is the model for dynamic executable content on the Net," said Eric Greenberg, group security manager at Netscape.