Doesn Code Signing and Microsofts AuthentiCode technology prevent people from distributing malicious ActiveX controls?
No. Code Signing simply attempts to identify who signed the control. Anyone can go out and get a code signature. It’s a pretty much automatic process. You go to a web site, give them a name, address, credit card number and some other stuff (none of which have to be yours), click “I Agree” on a page full of legal jargon, and pretty soon you get an e-mail with the information you need to sign the control in it. Once you have your Digital ID, you can sign any unsigned ActiveX control. Nobody reviews these controls! In other words, a signature doesn’t tell you who wrote the control and it doesn’t tell you if the control is safe or not. Heck, with the number of hot credit card numbers out on the net, it doesn’t even tell you for sure who signed it. A danger is that seeing that a control is signed will give folks a warm fuzzy feeling about the control, and encourage them to run it, even though it does not guarantee their safety!
