Microsoft versus Microsoft: IE9 busts MSDN for a security gaffe

Microsoft versus Microsoft: IE9 busts MSDN for a security gaffe

Summary: Today, a "rogue faction" at Microsoft published a nifty add-in that will make developers' lives easier. So why did Internet Explorer 9 flag it as a likely security threat? And why should that warning be a wake-up call for developers?

SHARE:

Update 18-June 9AM PDT: The Web Platform and Tools team has replaced the original version of the Visual Studio update described in this post with one that is digitally signed.

You don’t see this sort of thing very often, thankfully.

Today, a self-described “rogue faction” at Microsoft (that's a joke, of course) released an add-in for Visual Studio 2010 that improves HTML5 and JavaScript support. (Read Mary Jo Foley’s writeup for more details.)

But a funny thing happens if you use Internet Explorer 9 to download the code from the Visual Studio gallery. A few weeks ago, I wrote about the new reputation-based security features in IE9 and noted in passing, “No domain or file gets a free pass—not even a new signed release from Microsoft or Google. Every file has to build a reputation.”

Here’s your proof:

That red shield is a severe roadblock. IE9 makes it particularly difficult to download any file that falls into this category.

At first glance, this seems like a false positive (Tim Anderson described it as “extreme for a download from an official Microsoft site”).

Look more closely at the file and you will see there's a legitimate reason for the dire warning. It’s a Microsoft Installer file, which means its job is to install a program on your system. And yet this MSI package is not digitally signed. A brand new file that hasn’t been seen in public before and is not digitally signed? According to Microsoft Security, there’s about a 96% chance that that code is malware.

This really and truly is an unofficial release. But it’s hosted on a Microsoft server, where the public should never, ever be able to download executable code that isn’t digitally signed. Period. If that isn’t a companywide security policy, it should be.

I expect that this mistake will be fixed relatively quickly, but in a way I’m glad it happened. It offers a chance to see and learn from the real-world consequences when coders aren’t thinking about security.

Topics: Software Development, Browser, Microsoft, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

49 comments
Log in or register to join the discussion
  • RE: Microsoft versus Microsoft: IE9 busts MSDN for a security gaffe

    Sadly, I've seen this warning triggered by Microsoft's own Zune software. :(

    Ooops.
    The one and only, Cylon Centurion
    • In the last 90 days?

      @Cylon Centurion

      If that's something you've seen recently, I'd like to know more. If it was before IE9's release in March, then I can chalk up to beta.
      Ed Bott
      • RE: Microsoft versus Microsoft: IE9 busts MSDN for a security gaffe

        @Ed Bott

        Yeah, it was with the Release Candidate. You can see it here:

        w w w .winmatrix.com/forums/index.php?/topic/31071-lol-at-microsoft-zune-software/
        The one and only, Cylon Centurion
  • RE: Microsoft versus Microsoft: IE9 busts MSDN for a security gaffe

    You realize all the people with talent are leaving MS right?
    Hasam1991
    • Really?

      @Hasam1991 Apple fanboi?
      General C#
    • I can see why no one takes you seriouslly

      @Hasam1991

      As you are not very well informed on many things.

      :|
      Tim Cook
    • Thanks large for the news flash bud.

      @Hasam1991
      Wait a second....aren't you one of the bunch who always said MS has no talent???

      Something fishy going on here.
      Cayble
      • They've always had talent

        They just never used it.

        I've spent the last two days fixing the latest MCSE stuff up. I'm amazed people still defend windows.

        On fresh installs hardly anything works, locked done security settings that are nothing but an inconvenience, links on the MS website that won't work on Windows/IE when they do on Mac/Safari, warning messages and "helpful" hint panels popping up all the time, 3 reboots before a new system is fully patched, several versions of anything from MSDN (x86, x64, etc), bing searches that return old versions of software on MS's own site (e.g. JBDC drivers), malicious software tools updates on server, ...

        I'm just scratching the surface of the glaring deficiencies. People that think windows is leading edge need to start using some alternate OSes for a while.
        Richard Flude
      • Rly?

        @Richard Flude
        I've personally used various versions of Mac OSX and Linux and none of of beats Windows in usability(Mac) or stability(Linux).
        cym104
      • RE: Microsoft versus Microsoft: IE9 busts MSDN for a security gaffe

        @Richard Flude<br><br><I>"On fresh installs hardly anything works, locked done security settings that are nothing but an inconvenience, links on the MS website that won't work on Windows/IE when they do on Mac/Safari, warning messages and "helpful" hint panels popping up all the time, 3 reboots before a new system is fully patched, several versions of anything from MSDN (x86, x64, etc), bing searches that return old versions of software on MS's own site (e.g. JBDC drivers), malicious software tools updates on server, ..."</I><br><br>Really? I think you're making that up. On fresh installs, you system should be running a top efficiency. Not crashing and "not working". Unless you're doing fresh installs of Windows XP. In which case, yeah, the amount of missing drivers caused everything not to work.

        I've never had this happen to me upon fresh installs, especially with Vista or 7. Everything worked and ran well. I see no "Locked down security settings" causing an inconvenience to me.

        And -10 for the crying over rebooting. It happens. Too bad so sad.
        The one and only, Cylon Centurion
      • RE: Microsoft versus Microsoft: IE9 busts MSDN for a security gaffe

        @Richard Flude

        They've always had talent, they've used it but then stopped and now are back on top of things. Windows 7, Windows Phone 7, Office 2010 and so on are all excellent products.

        I've been using PC's since the late 80's with HP offerings and later went to Windows with 3.11, I've used a multitude of different OS's and computers in my time. I remember alpha/beta/RC testing of XP and it was quite the delight as most things worked right out the gate and with a quick windows update everything worked perfectly. With Windows Vista and Windows 7 things only got better and clean installs of Windows 7 now result in everything working out of the gate... At least on any standard PC... The exception would be the Mac which requires bootcramp among other things to run basic PC hardware found in all PC's.

        I've yet to find a page that I have any issues opening with IE9 so I'm not sure exactly where you find this problem site... Please post it up so we can take a look at exactly what you're talking about otherwise we'll have to disregard your statement since there is no evidence of such issue.

        As it comes to updates... Updates will sometimes require a reboot as certain system files are in use by the OS and can only be modified when not in use hence a reboot will unlock these files. This is true for any OS.
        audidiablo
        • RE: Microsoft versus Microsoft: IE9 busts MSDN for a security gaffe

          @Richard Flude

          The only surface I see you scratching is your head as you come up with more inane statements.<br><br>I use Windows 7 x64, Linux (BT5) Gnome...<br><br>I wouldn't touch OS X with a ten foot pole. Always the first to go down at PWN2OWN, now gets Malware, endless comments on the Apple forums of the spinning beach ball of death and so on. Their motto "It just works" I've been able to prove wrong for decades. If you plug in a scanner you'd think it would just work... Well it just didn't. Going to Fry's and looking at all the computers offered... I saw a Mother and Daughter shopping, they were looking at the Macs. The daughter said she wanted a Mac as it was the cool thing (trendy) but nothing to backup for productivity as the Mother had asked. The daughter regurgitated a bunch of garbage from the Apple commercials such as "it just works" and "never crashes"... As my friends know I'm quite the cynic and love to have fun with these things... I walked down the Mac isle and walked up to a super fancy iMac on display. Moving the mouse resulted in no movement at all, all keys on the keyboard resulted in no action on the screen. I loudly announced "Hey Hilary! Look at this iMac!!! It's just working!!! Never crashes!!! Wait... What the!? Excuse me sir, is this how Mac's "just work"? The store rep replied... "Hmm, looks like it locked up..." Me: So you mean it crashed? But I thought Macs just work and never crash?"... The Mother and Daughter at that point seemed quite displeased... I went to the other side and started playing Mahjong on a touch screen HP that was half the price... "Hey Hilary! This one seems to actually work and not crash! Oh and it has a fancy touch screen too!!!" Guess who came wondering over asking for my advice? That's right the Mother and Daughter. They had then realized that they'd almost made a huge mistake buying a Apple Crashntoss. They bought a nice Asus laptop with my help and I'm sure she can get some real work done now without crashing. <img border="0" src="http://www.cnet.com/i/mb/emoticons/happy.gif" alt="happy">
          audidiablo
  • RE: Microsoft versus Microsoft: IE9 busts MSDN for a security gaffe

    It means IE9 is doing it's job (while VS/MSDN team isn't).

    Think about this: if someone hacked microsoft server, or highjacked a DNS server and redirected your download request to a fake server, the installer's certification would be the last line of the defense.

    DNS redirection may not be easy (yet ISP does it all the time) but getting one of those certificate of microsoft.com for application is just down right impossible...

    Well, almost impossible if not for the bonehead mistake like Comodo did couple months ago.

    Anyhow, brovo for IE9!
    Samic
    • RE: Microsoft versus Microsoft: IE9 busts MSDN for a security gaffe

      @Samic
      IE9 really doesn't like those standards do they :P ?
      xnederlandx
  • RE: Microsoft versus Microsoft: IE9 busts MSDN for a security gaffe

    I don't see why this is a problem. It was a brand new release and should trigger the warning. Just because it's on MS's servers doesn't mean it's not malware.

    Downloading it required clicking on "yes I'm really really sure" a few times, but I'd rather have this than Chrome's behavior of automatically executing anything you download.
    spivonious
    • Not if it was properly signed

      @spivonious

      If it had been signed with a well-known Microsoft certificate it would have been green-lighted right away.
      Ed Bott
      • RE: Microsoft versus Microsoft: IE9 busts MSDN for a security gaffe

        @Ed Bott
        For a company with the size of MS, offering almost all kinds of IT products I don't see this a huge problem. It does not matter how much they talk about "sinergy", I believe different divisions work as independent companies.
        Let me tell you a little story:
        I am from Brasil and my former manager worked at Lotus Brasil, supporting Notes and SmartSuite. He told me that in that time there was a very strong competition between the SmartSuite people and MS Office people and sometimes things got very "personal" specially in events like COMDEX. In one occasion, a big SmartSuite user (a government agency) started to have issues running the system, and it seemed that the problem was in Windows. MS sent a bunch of developers from Redmond to Lotus office in S?o Paulo to indentify the problem. My former manager said that everybody was very friendly, very different from the behavior he was used to see. After some "caipirinhas" in the last day, he asked to the MS guys about that, and how they could work so well with a competitor. The answer was something like "I don't sell MS Office, I sell Windows. I want to make Windows run well with any application. For me MS Office is just another application"...
        Marcvs Vinicivs
    • RE: Microsoft versus Microsoft: IE9 busts MSDN for a security gaffe

      @spivonious: wow, that's pretty bad, althogh I hate explaining the 'yellow bar' thing to clients, automatically running is just wrong. Someone should blare that all over :)
      jgwinner
    • Chrome doesn't auto-execute

      @spivonious

      It downloads automatically but doesn't execute without user interaction.

      Safari on the Mac, on the other hand, DOES execute installers automatically using default settings.
      Ed Bott
      • Open safe files in Safari

        On Mac OS X Safari will open "safe" files, including mounting image volumes. Personally I'd remove this feature, and I disable it on all systems I setup<br><br>It does not, however, "execute installers" automatically. Executables are no "safe" and Mac OS X doesn't have the equivalent of windows' "autorun".<br><br>Indeed "installers" are not common on Mac OS X, applications are typically being self contained and don't require installation (advance share library system, even supporting multiple versions).<br><br>But nice try Ed;-)
        Richard Flude