Call to Action: Help us clean up Manage Add-ons

Hey all you ActiveX control owners out there, this is Sharon, PM owner of Manage Add-ons. Today I’m asking you to help us clean up the Manage Add-ons interface by digitally signing your controls.

Manage Add-ons (Tools à Manage Add-ons à Enable or Disable Add-ons) displays information about all of the controls on a user’s system. It shows them the control name, publisher name and control status (enabled or disabled) among other things. Controls that are not properly signed become an eye-sore in Manage Add-ons because next to the publisher name is the phrase “Not Verified”. In addition to being an eyesore, users rely on the publisher name to make trust decisions about their ActiveX controls. If your control isn’t signed the user only knows that Someone says the control is from your corporation, they don’t know that You say the control is from your corporation.

Manage Add-ons Unsigned Control

Luckily, this is easily remedied. When you digitally sign the dll of your control, the publisher name shows up correctly, without the “Not Verified” next to it.

If your control is installed by a CAB file or another executable, you must be sure to sign both the installation file (to enable installation) and the .dll or ocx file containing the ActiveX control (to ensure your publisher name shows up without the “Not verified” notice). Some resources on code signing are available here:

Some of you may be wondering why you should bother signing your controls when Microsoft has its own unsigned controls. Code signing all released dlls just wasn’t part of Microsoft’s regular practices previously and as a result there’s lots of legacy code out there that is still not signed. Microsoft is, however, working to correct this situation. Myself along with the IE compatibility team have already been in contact with several Microsoft teams who have unsigned controls. Many of these are being corrected in upcoming releases or have been corrected already. MSN Messenger service which was unsigned has been released as the signed Windows Live Messenger control in the new Windows Live Messenger version which shipped recently. It’s an ongoing effort to correct all the legacy code out there. We hope you’ll help out by also signing your code.

sharon cohen
Program Manager

Comments (56)

  1. Ron says:

    I remember back in the day when I was fairly new to the internet, whenever I was prompted about ActiveX plugins I would check to see if they were signed, needless to say I denied a few unsigned Microsoft plugins because of all the security warnings in the dialog.

    It’s good to know that something is being done about this, I can’t remember the last time I saw a ‘signed’ ActiveX control.

  2. me says:

    To quote one of your links: "Independent software vendors (ISVs) must obtain a certificate from a certification authority (CA) that is trusted by default in Microsoft Windows."

    As an individual developer without any company or financial backing, obtaining a certificate is rather expensive. For example, a one year Verisign certificate is a little under a thousand dollars. And then renewing each year…

    I’d like to digitally sign my stuff, but it is financially prohibitive.

  3. Arron says:

    Same as the commentor above. I’m not going to shell out those kind of big bucks to sign my components.

    Look, if you want a broad majority of us deploying these unsigned components to jump on the bandwagon, you’re going to have to offer a gratis service that lets us get our components signed for free.

    If not, you’ve just got to deal with the fact that not all of us are ISVs with deep pockets.

  4. game kid says:

    Indeed.  Let’s not even mention competing corps like Apple, Sun, DivX, etc.  Even controls from PopCap (which has its share of games on are unverified.

    The all-controls-are-signed utopia is not even visible, much less close (unless you guys are paying for their certs, maybe).

  5. codemastr says:

    Just a word about free certs from someone who once tried to setup a free CA.

    It’s just not gonna happen. Running a CA is expensive. First of all, you need top-notch security. If your Root key gets stolen, EVERY key you ever issued is junk. This requires the key to be kept super secure. When we did it, the key was stored in a safe deposit box at a bank. It required 2 keys to open the box only 4 people had keys (you always had to account for one of the people with a key dying!) The computer used to sign a key was not hooked up to the Internet. Keys were signed, put on floppy disk, transported to a computer with Internet access, then distributed. That alone cost quite a bit to maintain.

    Then there’s the administrative stuff. When you pay a CA, you’re basically paying them to verify you are who you say you are. So you say "I’m John Smith, I live at 123 My Street." Great, now how do I know that’s true? First, I might send a piece of mail to that address that you have to sign and mail back. I might require you to fax a copy of a drivers license or other state ID. I might require a phone number that I will call to ensure you answer. Then there are many other things. I might access a private database to see if the specified name has ever reported identity theft. I might ask you for certain other verifiable information (your license plate number on your car, what bank issued your mortgage, etc.

    Then there are technical costs. You have to have a system that allows real-time certificate verification (to ensure the certificate hasn’t been reported stolen and therefore revoked). Running a server that could, theoretically, have 10 million people querying it at a single instant respond in realtime requires some serious bandwidth. That’s not going to be cheap.

    The point is, all those verification techniques cost money to do. So how can a CA exist when they have to spend money to issue a certificate when you’re not paying them? I agree the prices might be a bit high, but free just won’t happen. The administrative costs of running a CA are simply too high.

    If the cert is free, it likely means the company did a poor job of identity verification (sending you an email and ensuring you respond doesn’t prove anything). If you can’t afford it, that definitely stinks, but a free cert just can’t happen unless someone decides they want to set up a business that they will pump millions into and continually lose money.

  6. Frankie says:

    Personally, I find it more than interesting that "all" Active-X Add-ons from Microsoft Money Central are not Signed.

    Strangely, the source reads the Active-X is from Microsoft…

  7. hAl says:

    Microsoft might do wel to set up a certification program for developers which create free add-ons for IE and/or Office and/or .NET to be able to certify those free stuff for free as well.

    You can’t expext programmers to donate money to some commercial certificate organisation when handing out their add-ons for free.

    I do expect however that large companies such as MS itself and Google, AOL, Macromedia, Adobe and such to certify it’s add-ons.

  8. BB says:

    Unless Microsoft is willing to provide an inexpensive and/or gratis service for signing, it will place IE at a competitive disadvantage with other browsers.  All of the other main ones have their own free add-on management systems.

    Few ISVs are able to monetize their add-ons.  They’re built by freeware authors or given away at a loss to supplement commercial software packages.

  9. MaCake says:


  10. MaCake says:


  11. Hi Sharon,  

    Since you are in charge of add-ons, PLEASE can you force the Group Policy team to give us better controls of Add-ons!    Right now it is a nightmare, and you have to MANUALLY copy each GUID (you can’t even copy and paste from the IE list.

    For an example, try my support artice with GPO and see how you get on!

  12. Lordmike says:

    @IE Team —

    I’m not sure if this has been fixed.

    At the moment I run latest IE 6 build (that I know of) here at work.

    And when I type in an adress wrong, like IE will freeze up when trying to find it, which it wont.. and this often crashes IE because I refuse to wait and repeatedly hit Esc in frustration.

    This also happens with Firefox, Safari (well Safari doesnt crash) and Opera. Can this be fixed somehow or do we all have to wait 1-2 mins before doing anything about it?

    I find the wait quite annoying and I think most people do.

    Can I change the timeout to 5 seconds or less somewhere? Because that would be great!

  13. DR_DREW says:

    Why am I unable to "save target as" on links in IE7? That makes the option in the context menu usesless… Plus, it’s very hard to download files quickly.

    Please respond. Am I doing something wrong?

  14. Ich hatte 100 aufgehende IE Das hat sich aber erledigt

  15. Lordmike says:

    Isn’t this english only blog? Well should be atleast, so everyone can understand the question… unless the IE team in germany answers these questions.

  16. Vikram- Gunnikuntla says:

    Add-ons page, There is a problem in enabling and disabling in the addons..when i disable flash and re-enabled but still its in disabled…

  17. Kevin Daly says:

    There are a couple of a problems with this:

    a) All the resources on Code Signing tend to assuming that you already know all about Code Signing…as in, "What does this switch (out of the 10 or so available) mean and why would I use it?"

    b) Code Signing is a great idea for a multi-billion dollar corporation…but what about the MicroISV? If you can even manage to persuade Verisign or the like that you are a legitimate entity, how do we distinguish between the costs of certificate services and other things that lead to bankruptcy? This is something that has been giving me a real sinking feeling over the past few days with regard to ClickOnce. It’s uncomfortably like Microsoft is saying "Only BigCo Inc. Need Apply". I know that isn’t the intention, but it is the effect.

  18. 0wn3r says:


    Its still in BETA, it has the BETA 3 in the back of the name IE7, get it??!? BETA 3, expect problems n00b.

  19. Fduch says:


    $H@ 4p, n0OP!

    It doesn’t matter if it’s beta or not. If they say "Won’t Fix" or "By Design" expect the problem in Release too.

  20. Jerry Pisk says:

    Why would you use Versign? They’re simply overpriced. At least take look at Thawte which is much cheaper.

    And if you timestamp your signatures you do not have to renew your certificate after it expires. Unless you are releasing new code, which would generally assume you are getting paid for doing so. And most major open source projects have non-profits (and for-profits) financing the development, so a certificate is not a problem there either, especially when compared with the cost of their sites, hardware and the certificate(s) they need to keep access to their code repository secure.

  21. Brad Brening says:

    This is another reason why the "addon" for IE model will never fly – too many hurdles to leap when creating one.

    To develop an "addon", you have to be a pretty experienced developer.  A lot of people have good ideas as to a great addon that would, say, highlight the current forum thread in such a way as to be more readable (like "Farky" for FF).  However, with the code signing, steep learning curve, etc., there are just too much involved in creating one.

    I don’t know why Microsoft couldn’t create something like a browser scripting language that quickly allows you to create scripts that interact with the browser only.  These scripts would be impotent outside the context of the browser, yet it makes it easy to extend the functionality of IE.  This would eliminate a lot of problems, and fuel IE-centric development.

  22. Paul Topping says:


    My company, Design Science, makes MathPlayer, a free add-in for IE that enables it to display MathML ( I think we’ve got somewhere around half a million installs so far. We are also coming out with a new version (2.1) for better IE7 compatibility.

    I would like MathPlayer to be part of Windows Error Reporting (WER) but since it’s a DLL, crashes in it are really crashes in IE. I have found evidence on Microsoft’s site that we should be able to get info (ie, minidumps) on any crashes that may have occured in MathPlayer. However, we have been unable to do this. Of course, we’d like to think this is because MathPlayer has never crashed but I’ve been working with computers too long to really believe that. Are crashes in IE add-ins tracked by WER separately? Are their any guidelines for working with WER specific to IE add-ins? Any help would be appreciated.

    Paul Topping

    Design Science, Inc.

    pault at

  23. hAl says:


    "I don’t know why Microsoft couldn’t create something like a browser scripting language that quickly allows you to create scripts that interact with the browser only.  These scripts would be impotent outside the context of the browser, yet it makes it easy to extend the functionality of IE.  This would eliminate a lot of problems, and fuel IE-centric development."

    Actually the basis of ActiveX is that allows multiple scriptengines to interact with the browser.

    So you could add your own script engine to do just that what you want.

  24. Mickey says:


    The Wikipedia article you link to clearly states that Active Scripting has, and I quote, "nothing to do with ActiveX".

  25. Jim Vierra says:

    The largest amount of "unverified have always come from Microsoft, Hewlett-Packard and Apple.

    MSXML 4 is unverified even though MSXML 3,5 and beyond are signed correctly.

  26. hAl says:


    But when you look at the ActiveX article that is in your quoted line then it says:

    "ActiveX introduced ActiveX Controls, Active Documents and Active Scripting (built on top of OLE Automation)."

    I quess the ActiveX controls are just more well known due to the security issues surrounding it ?

  27. Today I tried to register someone for Windows Live Messenger. We were unable to register using Firefox even when spoofing the UA (probably proprietary JS check by the site). Windows Live Messenger now also seems to only accept hotmail email accounts for screen names now further pushing the monopoly in that direction. Checking email through Windows Live Messenger always defaults to IE and not the default browser. No matter how much time and energy is spent on making Live the best thing around it is still anti-competitive and I am forced to keep people from using those products that are intended to kill the industry I work in that is being done simply for the sake of profits to your company.

    With XP/SV1 (no windows updates other then SV1) installed I have 3,553 ActiveX controls on my computer. 150 are signed as controls, 1356 as part of XP as an OS.

    Don’t I feel secure?

    Good luck updating all the missing information. Also you may want to correct the casing on your last name. I really wish I could say something positive but I can’t right now as I’m not the one using dishonorable tactics in an unfair position of power.

  28. EricLaw [MSFT] says:

    There are a number of Certificate Authorities that offer code-signing certificates.  My personal certificate was 90$ a year; you can learn more at  

    You can see a more complete list of vendors here:

    @Paul Topping: You should be able to sign up at  Watson performs analysis to determine the faulting component, so even if the crash is reported as IExplore.exe, chances are good that we will isolate it down to your plugin.

    @Brad Brening: There are already script-based extension models available for IE.  See e.g. where I discuss some of the scripts I’ve published.

  29. ray says:


    Have you addressed your Messenger concerns with the Messenger team: or

    BTW, have you also let the Firefox developers know that it is anti-competitive that their search box does not include any Microsoft search engines by default?

  30. hAl says:

    Why doesn’t Microsoft give some money as a reward to the best rated (with significant minimum downloads and ratings) and certified new addons on

    That could be a decent incentive to certify a good addon’s and add it on theat site. Spending for instance 10k in price money every 3 or 6 months would make it worth while.

    Or give every certified addon on that site that manages 10.000 downloads, in a year or less, 500$ or something like that.

    There is at the moment not an incentive to certify your code especially when you are not making money from the software !!

    (oh and please clean up the junk software from that site regularly)

  31. me says:


    When you wrote IE6, I also figured that it was a typo for IE7 since, excluding security updates, the "latest IE6 build" was years ago.

    In any case, I often mistype URLs and have never experienced a freeze as you describe. I typically use both Firefox and IE. (Can not comment about Opera.) Actually, I just tried your example and a fraction of a second later it returns with the expected error; I never loose control of the browser.

    Just a guess, but you may have a network configuration problem.

  32. Lordmike says:


    Yeah, it could be the firewalls, routers and proxies here at work. Weird is that it also happens at home… Probably faulty configured firewall there too?

    I will look it up!

  33. hAl says:

    Oh and could some please:

    a) remove the spam

    b) tell sharon that she might react to some of the critisism here. Especially about her asking people that freely donate time and effort to also donate money for licensing without recieving anything usefull for that.

  34. David Taylor says:


    Could you do me and the IE team a favour?

    For the last 2-3 months when using IE 7 Beta, the first time I open a new browser and browse to a site it literally takes 15 seconds until it starts downloading the site.  Then provided I leave the window open browsing is fast.

    This has been so frustrating I have almost moved to Firefox.  I was on the verge of reinstalling XP.  Then today I thought I would start disabling the IE add-ins one at a time to see if an add-in was causing this issue.

    It ended up being the Windows Live Sign-in Helper!  Removing that has restored IE to good performance and restored my sanity.

    I am guessing something is wrong with the Sign-in helper…or maybe it has never been tested for latency outside Redmond such as when someone is on the other side of the world (a common Microsoft development mistake).

    Please let the Windows Live team know and ask them to either fix their plug-in or remove it from peoples machines.


    David Taylor

  35. Carol Chisholm says:

    I have 9 unverified add-ons: 5 from Microsoft and 4 from Sun.

    Perhaps a little housekeeping might be in order?

  36. Carol Chisholm says:

    Don’t forget how hard it is for anyone outside the US to get a certificate from a US based org like Verisign or Thwate.

    The Swiss Post Office (can’t get much more respectable than that) has been trying for 2 years to get it’s root certs recognise by MS without success. They were going to do a low cost certificate system for people who had accounts with them.

  37. Patrick says:

    While im glad to see you are getting your own stuff signed I must agree with most of the posters here: getting certificates is expensive. Eric Law provided us with a link, but thats still 100$ dollars per year. Being a student thats way over the top.

  38. Jason says:

    There is no way on earth, that developers are going to do this, if there is a price tag attached.

    I write tons of clean, safe code and distribute it all over the Internet.  However I won’t ruin my sales figures, by signing something, that quite frankly, most end-users couldn’t care less about.

    It is well known, that signed code, does not in any way, prove to the end user that it is not malicious.  I have seen several spyware applications with signing out the wahzoo… it doesn’t mean a thing in terms of the "safeness" of the code.

  39. betabite says:

    hyperlinked text usealy turn purple after clicked on. in the new ie, when in new tab, those visited hyperlinks do NOT turn purple and this disturbs me. please fix!!



  40. EricLaw [MSFT] says:

    @Jason: I’m not sure what you mean by "ruin your sales figures".  On a percentage basis, users are more likely to install your code if it’s signed, so it makes plenty of business sense to sign your code.  

  41. hAl says:


    Only companies might give a slight look to software being signed but individuals rarely do. So signing your software seems only interesting for add-ons that have a business market target and that are being licensed against a (small) fee.

  42. John C. Kirk says:

    Regarding the costs involved, I do stuff as a solo developer (outside of work), so I’ve bought two certificates from GlobalSign:

    Annoyingly, I needed separate certificates for SSL and code-signing, but it’s not an exorbitant cost – 175 euros per year each.

    @Jason, you are correct that code signing isn’t a guarantee of safety. (I’m investigating .NET security options as a way to restrict what a particular program can do, e.g. "this screensaver isn’t allowed to modify files on the hard drive".) The way I see it, it’s a 2 step process:

    a) Do I trust the person/company who wrote this program?

    b) Am I sure that they did actually write it (and that nobody has tampered with it since)?

    Code signing only addresses the second question, not the first. So, it’s just a part of the overall solution, but it is a necessary part. I liked the metaphor of the "sandwich test", which I heard a while back. Suppose you were at lunch, and a friend said "Hmm, I’m not very hungry – would you like one of the sandwiches I made this morning?" You would probably be fairly confident that this was safe to eat (barring allergies). By contrast, if someone came into your office and said "Hey, I found this sandwich lying on the ground outside – anyone want it?", then I’m guessing that you wouldn’t be very enthusiastic.

    Regarding the CAs, I would like to see a bit more transparency, in terms of their requirements for issuing certificates (particularly when it comes to individuals rather than companies); this would give end users a bit more confidence about who they can trust. For instance, I faxed the photo page from my passport over to GlobalSign, which seems like a reasonable amount of evidence.

  43. EricLaw [MSFT] says:

    @hAl: Users are getting more and more aware of the implications of unsigned code, and various security UIs have been improved to point out the dangers of unsigned code.

    @John C. Kirk: I like your analogy.  

    @Carol Chisholm: The process for becoming a trusted root is well-specified and audited by the WebTrust process.  I’m not aware of any delays for anyone complying with the standard.

  44. Vadim Rapp says:

    I think there’s one more aspect to this. What does the signing actually affirm? Only that the author has paid to the certification authority. Nothing else.

    Does it say that the add-on is not spyware? no.

    Does it mean that the add-on will not ruin the system by bad programming, installing rootkits etc.? no.

    Is there anything that prevents the most malicious hacker from obtaining the certificate and spreading signed malware? no.

    Go to Verisign and buy code-signing certificate. Noticed anything resembling some sort of  screening? neither did I. Valid credit card is the only one.

    Take any just-purchased brand computer. You will find a ton of "value-added" icons in the tray, all installed there without user’s consent. They will be slowing the system down, calling home, spawning c’mons etc. They are all signed, and by "respectable" names. Does that make them legitimate? not from my perspective. In fact, they all are nothing but viruses, signed or not.

    So, what does this signing actually mean? Nothing. I think that the users who install signed add-on actually think that the certificate does mean all those above-named assurances, but in fact it’s not so. In fact, the more you think of it, the more you realize that it’s nothing but scam designed to deceive users with false sense of security.

  45. EricLaw [MSFT] says:

    @Vadim Rapp: You’re right in noting that certificates are not indicative of code quality, or a direct/pre-facto assurance of non-malice.  But, you’ve overlooked a number of important factors:

    1> Signing affirms that the certificate bearer’s code has not been altered since it was signed.

    2> Signing enables you to identify the author of the code to some degree of assurance: typically the bar is such that the CA collects information which will enable law enforcement to track down the creator if the certificate is used for malicious purposes.

    3> Digital certificates can be revoked if it is determined that the signed code was malicious (prohibited by the agreement signed when the certificate is purchased).  If the certificate is revoked, the user will be notified if they attempt to install the code.

  46. Suprman says:

    Java 2 Runtime Environment Standard Edition 5.0 Final build 1.5.0_08-b03 Update 8

    this plug in is not yet  “Not Verified”.

    Does Sun Java know about this?

  47. Nektar says:

    Isn’t it better to create a technology like the Fishing filter but for add-ons. In other words, create a list of malitious add-ons and prevent their installation. In any case, even with certificate revokation, I have never seen this being effective in practice. I don’t remember not being able to install a spyware or other malitious software because their certificate was revoked. If revoking is so useful then why isn’t it used.

    Personally, a technology like the Fishing Filter would be in my opinion more effective, or are you going to transfer responsibility to Windows Defendor for preventing malitious Activex controls?

    In my opinion code signing is not the best solution and has not help over the years to stop any malitious activity.

  48. EricLaw [MSFT] says:

    @Nektar: What you’ve described basically ~is~ Windows Defender, a free product you can help download to block malicious programs, whether you’ve installed them from IE or from somewhere else.  It gets its signature updates online like the Phishing filter, and it runs real-time.

    If you ever see a piece of malware signed with a digital signature, please send me email (ericlaw@) and I’ll go talk to the issuing CA.

  49. hAl says:


    "3> Digital certificates can be revoked if it is determined that the signed code was malicious (prohibited by the agreement signed when the certificate is purchased).  If the certificate is revoked, the user will be notified if they attempt to install the code."

    Has there ever been an IE add-on that has had it’s license revoked ??

  50. Vadim Rapp says:

    @EricLaw [MSFT] : I’m curious, was there a single precedent when all this enforcement was put in effect?

    Besides, it’s all "heavy artillery", and even if some sort of prosecution took place, practically it most likely would be years of litigation before any effect. I’m sure the users who see the certificate trust that the assurance of being non-malice is much, much more direct than that. That’s where the deception comes into the picture – even though it’s 100% unintentianal, subjective, and based on users’ non-reading of the precise legal language. I’m sure if there was a poll, 90%+ of users would say that they believe that certificate means that Microsoft has actually tested the software and found it non-malicious.

    Which indeed would be the only truly, practically meaningful certificate (of course not necesserily coming from Microsoft). Much like it is with the certified drivers, if I’m not mistaken.

    The cost of such certification most likely would be much higher, but still it would be the only practically meaningful certificate.

    By the way, I find it amazing that certification authorities are charging hundreds of dollars for code-signing certificates, which, as I understand, are 100% computerized and carry zero human involvement. Another, albeit indirect, confirmation of what this business really is.

  51. virus says:

    why i can not put the toolbars where i want?

    i can not up or down like ie6. i’m install and remove ie7 because of this.