ALTE DOCUMENTE
|
||||||
This feature allows the user to block all signed content from a given publisher without showing the Authenticode dialog box to the user while doing so. This stops code from the blocked pub 10110j920k lisher to be installed. This feature also blocks installation of code with invalid signatures.
This feature applies to all users, since it deals with installation and running of applications that are signed.
Blocked Publisher
Detailed description
Through Authenticode, the user can block content for a given publisher from installing or running. To do this, the user selects the Never trust content from PublisherName check box in the Authenticode dialog box. If selected, the user is never prompted when code that is identified with the publisher's digital signature is trying to install itself on their system. It will be automatically blocked without showing the Authenticode dialog box.
Why is this change important? What threats does it help mitigate?
This feature was designed to help users block ActiveX controls and other signed file formats from repeatedly prompting them on the Web. Users had no way of saying, "I don't want content from this publisher. Do not ask me again." Because they didn't have this feature, many users installed applications or content just to keep from encountering repeated prompts.
What works differently?
Previously, the Authenticode dialog box only supported selecting the Always trust content from Publisher check box, which allowed the automatic install of code from a specified publisher without prompting the user. Now the user can perform the opposite action and designate a publisher as untrusted. No application compatibility issues should be encountered for trusted code.
Blocking Invalid Signatures
Detailed description
By default, Windows blocks the installation of signed code if it has an invalid digital signature.
Why is this change important? What threats does it help mitigate?
If code has an invalid signature, it usually means that the code has been changed since it was signed. When this happens, Internet Explorer considers the code to be unsigned, since someone might have tampered with it. By default, Internet Explorer blocks ActiveX applications that are unsigned that come from the Internet zone. This extends that functionality so that it applies to all code with invalid signatures.
What works differently?
By default, code with invalid signatures cannot be installed.
How do I resolve these issues?
To revert to previous functionality and allow unsigned code to run, see the RunInvalidSignatures setting in the "What settings are added or changed in Windows XP Service Pack 2?" section below.
One prompt per control per page
Detailed description
Internet Explorer only prompts once per ActiveX control per page.
Why is this change important? What threats does it help mitigate?
This change helps defend against the social engineering trick of prompting the user a number of times for the same control. Even though users repeatedly refuse, they cannot get out of the loop, and they might eventually accept the installation out of frustration.
What works differently?
The user only sees one prompt per page per control.
Ellipsis placed on text for application description and publisher name
Detailed description
When the text that is given for the application description, file name, or publisher name is wider than the dialog box in width, Internet Explorer places an ellipsis on the text. This helps indicate to the user that there is more text that they are not seeing.
Why is this change important? What threats does it help mitigate?
This reduces the ability of control authors from placing marketing text and EULAs in the dialog box or using other social engineering tricks to overwhelm the users and get them to install the control.
What works differently?
Application description, file names, and publisher names will contain an ellipsis if the text is longer than the width of the dialog box. No applications or Web pages should need to be modified.
|
Setting name |
Location |
Previous default value (if applicable) |
Default value |
Possible values |
|
RunInvalidSignatures |
HKEY_CURRENT_USER\Software \Microsoft \Internet Explorer \Download HKEY_LOCAL_MACHINE\Software \Microsoft \Internet Explorer \Download |
None |
No.
|
