FWD:Shockwave security hole exposes e-mail (fwd)

Robert S. Thau (rst@ai.mit.edu)
Thu, 27 Mar 1997 18:01:17 -0500 (EST)

> > Date: Mon, 17 Mar 1997 10:41:05 -0800
> > From: Sidney Markowitz <sidney@research.apple.com>
> > Subject: Shockwave security hole exposes e-mail
> >
> > ...
> >
> > Relevant to the previous discussions on RISKS about Authenticode,
> > de Vitry points out that users of Microsoft Internet Explorer who
> > enter a page with a Shockwave movie on it are presented with an
> > Authenticode digital certificate signed by Macromedia, not by the
> > author of the possibly malicious movie.
> >
> > -- sidney markowitz <sidney@research.apple.com>

Ah yes, here's that "what does it mean to sign the thing" issue all
over again. Macromedia has signed their buggy Shockwave control. So
now, if you want to be able to trust *other* ActiveX controls signed
by Macromedia (including the bug-fixed Shockwave, when they produce
it!), you have to risk accepting the old, known-buggy Shockwave, with
its old, known-valid signature, from someone else who is deliberately
serving it (in conjunction with a malicious movie) as a Trojan Horse.

The only way I can see out of this in a code-signing framework would
be for Macromedia to get a new certificate *and* somehow securely
revoke the old one... does Authenticode provide for that?