REDMOND, Wash., Feb. 19, 1997 — Microsoft Corp. announced that, starting today, the Web Executable Security Advisor program will be available as a free resource to provide crucial information on security threats posed by executables found on the Internet. The Web Executable Security Advisor program includes a regularly updated Web site, mail lists and other education programs on threats such as those posed by anonymously distributed executable code. The program is available initially at http://www.microsoft.com/security/ (connect-time charges may apply). Microsoft also will hold a Web Executable Security round table in mid-spring, allowing customers to engage Microsoft in a constructive dialogue on how best to provide rich functionality and security for downloaded code.
“Microsoft is committed to ensuring the best possible Internet use – that includes educating the public about potential risks and helping users develop strategies for assessing and managing those risks,” said Brad Silverberg, senior vice president of the applications and Internet client group at Microsoft. “That’s the goal of the Web Executable Security Advisor initiative. After all, any executable content from the Internet carries significant potential risks, whether that code is a Java
™
Applet, an ActiveX
™
Control, a Macintosh application or a Navigator browser plug-in.”
The Web Executable Security Advisor program continues Microsoft’s leading role in addressing the risks of downloadable executables from the Internet. Microsoft’s Authenticode
™technology, a security feature in Microsoft® Internet Explorer 3.0, helps ensure accountability for and integrity of software components on the Internet. Authenticode technology can identify the publisher of a signed software component and verify that the software hasn’t been tampered with since it was signed. Users can decide case by case which code to download, based on their experience with and trust in a software publisher. Hundreds of developers have used Authenticode to sign their executables.
Authenticode, based on Microsoft’s proposal to the World Wide Web Consortium (W3C), is the only operational code-signing technology in use today. Other companies such as Sun Microsystems Inc. have put forth code-signing proposals, lending support to this approach. Microsoft will continue this leading role in the future with an enhanced Java security model, providing users and developers with flexible levels of functionality and security.
“Using untrusted executable content, including Java Applets, ActiveX Controls, PostScript files and Word macros, presents considerable risks,” said Gary McGraw, co-author of “Java Security: Hostile Applets, Holes and Antidotes.” “The first step toward dealing with these risks is to educate yourself about them. It makes good business sense for Microsoft to help educate users about Internet security risks. What you don’t know certainly can hurt you.”
Risk of Anonymous Code
Microsoft created the Web Executable Security Advisor program in response to user requests for help in addressing Internet security issues. In recent weeks, attacks by anonymously authored applications have become more acute as more executables have been delivered over the public network and as development tools for creating them have become more usable and productive.
“Network administrators are justifiably concerned about the risks of anonymous or altered code,” said Steve Lipner, executive vice president and general manager, Network Security Products of Trusted Information Systems Inc., a leading provider of network security solutions. “The combination of Microsoft’s educational efforts and TIS’s Gauntlet firewall, which allows administrators to control downloads of executable content based on Authenticode, will alleviate customer concerns and secure their networks.”
“Corporate developers are facing very real security challenges as they embrace the Internet. Educating users and developers is the right step,” said Rob Veitch, director of product development, Powersoft languages for Sybase Inc. “In addition, developers require products that make it easy to produce components that take advantage of Microsoft’s standards-based Authenticode. Our RAD Java for business development tool, code-named “Jato,” will include a target to enable users to package their applets and Java class libraries as signed CAB files.”
With executable content becoming more pervasive on the Internet, the potential for malicious executables grows accordingly. Although no security mechanism is foolproof, there are strategies that users and businesses can employ to reduce risk and protect their computing and financial assets. The Web Executable Security Advisor program is intended to provide users with the latest strategies for managing these risks.
“Users demand high-performance and real solutions in their Web pages, and ActiveX meets this need,” said Roger Dunn, CEO of Black Diamond Consulting Inc., a national consulting organization and developer of the Surround Video SDK. “However, the need for vigilance against rogue developers is as critical today on the Internet as it was when shareware software was handed about on floppies. Microsoft’s Web Executable Security Advisor program and Authenticode are two important steps in the right direction.”
The Web Executable Security Advisor Web site will cover security threats, link to code-signing proposals from other parties, and link to sites that maintain lists about various security threats. In addition, it will include a user tutorial on the use and administration of Microsoft Authenticode technology in Microsoft Internet Explorer 3.0.
More information can be found at:
Founded in 1975, Microsoft (NASDAQ
“MSFT”
) is the worldwide leader in software for personal computers. The company offers a wide range of products and services for business and personal use, each designed with the mission of making it easier and more enjoyable for people to take advantage of the full power of personal computing every day.
Microsoft, ActiveX and Authenticode are either registered trademarks or trademarks of Microsoft Corp. in the United States and/or other countries.
Java is a trademark of Sun Microsystems Inc.
Other product and company names herein may be trademarks of their respective owners.
Note to editors: If you are interested in viewing additional information on Microsoft, please visit the Microsoft Web page at http://www.microsoft.com/presspass/ on Microsoft’s corporate information pages
