Security Information and Code Updates

Download the Authenticode Update Before June 30!
Authenticode 2.0 Brings Improvements and Renews Security Feature for Users Running Internet Explorer on Windows 95 and NT 4.0 Computers

If you're running Internet Explorer on a Windows 95 or NT 4.0 computer, you should download Authenticode 2.0 soon (English only—International versions to follow shortly), both to take advantage of significant new improvements in the security feature and to renew important Authenticode information on your computer that will expire on June 29.

You must be running Internet Explorer version 3.02 to download Authenticode 2.0. If you're running an earlier version, you can download 3.02 now and then download Authenticode 2.0 from the link above.

Here are some of the new features that Authenticode 2.0 will bring to you:

The last point makes it very important that you download Authenticode 2.0 before June 30. Otherwise you'll begin to see confusing messages while surfing the Web. If you haven't upgraded by June 30, a number of key Authenticode certificates on your computer will have expired, which will result in warnings that perfectly good software components—including ActiveX Controls and Java applets—are either unsafe to download or that their certificates are out of date.

This scheduled upgrade of Authenticode will renew the certificates and, as noted above, include timestamp checking, which will help prevent the need for you to download further updates of this kind. But for now it's important that you download this update before June 30 so the security system will continue to be useful to you.

If you are running the 128-bit version of Internet Explorer 3.02, you should also download Authenticode 2.0 from the link at the top of this page. The same download works for both 40-bit and 128-bit versions of the browser.

Answers to questions about the Authenticode Update:

Q: If I don't download the update, am I exposing my computer to security risks?

A: No. If you don't download the update, you won't face new security risks, but you will miss out on some important new features. Plus, you'll face a big problem starting June 30. From that point on, you will receive warnings telling you that software you find on the Internet is not safe to download—even when it has been properly signed by a reputable software vendor.

Q: Will I be able to download and view ActiveX controls after their certificates expire?

A: Yes, but if you don't download the update you will first see security warnings for properly signed controls. Here's what you'll see when you open an ActiveX control after June 29 if you haven't downloaded the upgrade:

In either case, you can still choose to download and run the code if you trust the publisher.

Q: What about controls that are already on my system? Will they still run?

A: Yes. Signed code that has already been downloaded to your machine will continue to work, even if you do not have the upgrade.

Q: Do ActiveX publishers need to update their controls in some way? How is Microsoft helping developers make this upgrade?

A: All software publishers who have developed controls for the Web should re-sign and timestamp their code before their current certificate expires in order to take advantage of the new features in Authenticode 2.0. But existing certificates and controls will work fine with Authenticode 2.0, since it is backwards compatible. Microsoft is providing new tools to publishers in parallel with the upgrade for end users. If you are a software publisher, refer to our Site Builders Network page for the new code-signing tools and more information.

Why do the certificates expire?

A: By design, certificates expire in order to prevent the indefinite use of a certificate. By creating this "valid time window" for a certificate, the design of Authenticode limits the potential damage that can arise from a compromised certificate.

©1997 Microsoft Corporation. All rights reserved. Legal Notices.
Last Updated: Tuesday, June 03, 1997