Microsoft says: Don’t trust Microsoft
(via my O’Reilly blog)
There’s a new security hole in Microsoft software. An ActiveX control, supplied and signed by Microsoft, can run arbitrary programs on your computer. Microsoft has issued a fixed control, but there’s still a problem: sites can request the vulnerable version, and it will be fetched and reinstalled.
Microsoft’s solution: remove Microsoft from your list of trusted providers (if you ever put them there, that is).
It’s tempting just to chortle at this, but it illustrates serious problems with the code-signing approach in general. Way back in January 1997 I wrote that the ActiveX security architecture wasn’t actually a security architecture; at best it’s a blame-assignment architecture. I believe that even more today.
I’ve worked on projects that do code signing. And there are big security holes in the whole process. Think about how organizations work. Too many people will have access to the signing key. Signing becomes part of the automated build process, and it stays there even if security audits fall by the wayside. (Assuming, of course, that there ever were security audits.) You have to be careful with trusting individuals. Why would you ever grant blanket trust to a corporate entity?
Ken Thompson was right. The problem of trust runs deeper than technology.