IE in XP SP2 (Part 1): Authenticode – No, and never again!

As you probably know by now, XP SP2 RC1 is publicly available at Over the next week or so I’ll give an overview of a few of the security features the browser UI team has been working on.

The first I’ll mention is the revamped Authenticode dialog:

Besides the overall cleanup (the old dialog was difficult for many people to understand), the most noticeable enhancement is the addition of the “Never install software from…” radio button which lets you (finally!) blacklist publishers you don’t like. After you’ve blacklisted a publisher you’ll never again be prompted to install an ActiveX control signed with that publisher’s certificate. Instead, a harmless icon will show in the status bar to indicate that a control has been blocked.

If you click the status bar icon you’ll be brought to the Manage Add-ons dialog, another new security feature in IE which gives you control over all types of browser add-ons including ActiveX controls, Browser Helper Objects, and Toolbars. From here you can de-blacklist the publisher of a control that has been recently blocked, but the main purpose is to let you enable and disable add-ons that may be spyware/malware or causing crashes or other undesirable behavior. You can also get to this dialog from the “Tools/Manage Add-ons…” menu.

There are quite a few security tweaks to Authenticode in addition to what I’ve mentioned above. One that you may eventually get blocked by is the change to block the installation of invalidly signed ActiveX controls. A control usually gets into this state as the result of file corruption or tampering, and as such they are no more trustworthy than unsigned controls which have always been blocked in the Internet and Intranet zones. Although invalidly signed controls are uncommon, they’re not as rare as they should be because the old Authenticode dialog just gave a text warning and still allowed you to install the control. For this reason we’ve added a setting that allows you to bypass the new block — primarily for corporate intranet scenarios where mission-critical apps may have been deployed with invalidly signed controls (we had a few of these ourselves) — but I’m not going to tell you where it is because you shouldn’t turn it on.  🙂

Comments (25)

  1. Edward says:

    I see some of the add-on just have CLSIDs for names. How do we find out what they are, where they came from, and if they are potentially harmful?

    Also the name that does appear is under the control of the publisher I assume so we are bound to see more things like "Really Whizzy Cool Toolbar Button" than "Cover You With Advertising Tracker" which doesn’t help with the confusion of who is good and who is bad. Not that I think there is much you can do about it.

  2. dr.u says:

    Finally, I can block Gator for life!

  3. Pavel Lebedinsky says:

    > Not that I think there is much you can do about it.

    You could probably write a KB article about how I can find the actual DLL that implements an add-on, and link to this article from the help topic that comes up when I click on "Learn more about add-ons". Or may be add a "File name" column to the list view.

    Hmm… I just right-clicked on the list view header and there’s a CLSID column that’s initially hidden. That’s nice but the actual binary name would have been even better.

    It looks like at least some of the add-ons with broken display names are made by Microsoft. Do you already have bugs for these?

  4. Pavel Lebedinsky says:

    My other issue is with the Update ActiveX button. I’m scared to click on it because it’s not clear what will happen. Will it always ask for confirmation? Will it tell me what *exactly* it is trying to install?

    It looks like it’s doing the right thing, but you should probably describe it in more detail in the help.

    Also, can you change the button label to read "Update ActiveX…" to make it clear that it will ask for confirmation?

  5. I’ll look into the CLSID issue. I believe we show this only when there is absolutely no other information available.

    Ultimately, we’ll look at the information in the digital signature first, fall back on the version info (with a note) if we have to, then the filename, and finally the CLSID as a last resort.

    And yeah, even with an Authenticode signature it’s possible for a spyware/malware provider to name their control "Whizzy Cool Toolbar Button", making it impossible to discern the good from the bad at a glance. Think of Manage Add-ons as a good first step for giving you control that you didn’t have before.

  6. Pavel, I’ll see what we can do about the "Update ActiveX" button.

  7. Tom Gilder says:

    That new authenticode dialog is so well designed and *SUCH* and improvement on the old one.

    I wouldn’t like to even take a guess as to how many computers have been compromised and generally mucked up by users not understanding the previous dialog and trying to make it go away by clicking yes.

    It’s going to seriously annoy companies who have put entire disclaimers in the software name though, I wonder what the legal aspects of that are? Some controls put an entire license in their name, which now simply isn’t displayed. Could anyone blame MS for not showing all of the text?

    Also, whilst on the subject of XP SP2, if you download a signed EXE to the desktop and run it, it gives you a security dialog. But if you do the same with an unsigned EXE, it runs it without a prompt – is this a bug?

  8. Tom Gilder says:

    Er, actually, ignore that – now seems to be working again.

    But if you save an EXE locally and then click open on the completed download dialog, it never shows any of the security warnings, now that surely is a bug? 🙂

  9. Tom, thanks for the comments. I don’t want to speculate on the legal issues of truncating the name, except to say that overloading the application name string to include a mini-EULA is dubious to begin with, and probably isn’t proper notice.

    Let me cover the other part in a separate post.

  10. Pavel Lebedinsky says:

    > we’ll look at the information in the digital signature first, fall back on the version info (with a note) if we have to, then the filename, and finally the CLSID as a last resort.

    Can you make it so that filename is always displayed (or at least make it a column that is hidden by default but can be displayed by right-clicking the list view header)?

    Somethimes filename is the easiest way to tell where the add-on came from.

  11. Nice. This feature got a rabid applause at the Atlanta DevDays 2004 last week. Good work.

  12. JD on MX says:

    IE/XP sp2 changes: Windows XP is in final testing changes for a significant new updater, and "jeffdav" or Microsoft details how Internet Explorer will change. New window propagation sounds similar to previous implementations: a new window can be opened only…

  13. Pavel, we’re considering adding the optional filename column as you described.

  14. Anyone know if XP SP2 has .NET inbuilt ? says:

    Hi All..

    Does Xp SP2 force .NEt 1.1 install ?

    It would be nice if it did..

    Then a software requirement would be..

    XP SP2 or 2003 etc…

    Not.. IE6+MDac+.NEt++++++++

  15. Microsoft has made the Windows XP SP2 "preview" available for downloading, this is a look at what will be happening…

  16. "Anyone", I don’t think XP SP2 will force .NET 1.1 install.

  17. Jacky says:


    Will we have IE 6 SP2 including all of these new features? Thanks.

  18. Jacky, I can’t yet speak for if/when downlevel releases will have these features. If they do, it would probably be a while after SP2 ships.

  19. Digging .NET says:

    After playing with XP SP2 RC1 for a while I still have a few things which bother me.I had a look at group…