Self Extracting EXE Files & Security

Security and the dangers of self extracting executables

Security and the dangers of self extracting exe files to distribute PDF DRM

The biggest hazard of the self extracting exe file is that until you have run it you have no way of knowing what it is actually going to do.

It is correct that WinZip files CAN be digitally signed, but it has to be done by a separate process using Authenticode, which is normally used during application installation processes rather than when running an application program.  But this process is done by organizations that are in the business of developing and selling computer applications, and the control of the encryption technology used is guarded very carefully – nobody wants the situation where another organization could pretend to be them.  In fact it’s not so long ago that a Certification Authority had to shut down after finding that hackers had got hold of code signing certificates allowing them to appear to be Microsoft, amongst others.

So Locklizard code is Authenticode signed so you can be sure it came from us and has not been altered.  But signing self extracting files on-the-fly for the average user is impractical.

And that is why corporate IT departments do not allow people to download self-extracting .exe files or copy them onto their hard drives and then run them.  You don’t know what they are going to do and there is no way of examining all their internals successfully with anti-virus to know if they are safe.

There is another problem with using self extracting exe files, and that is they generally require some information to be input before they decrypt the content.  This is often in the form of a password.  And that is not much for security since, as we all know, passwords can (and are) given away by all and sundry, particularly when there’s no obvious comeback.

As a result, although self extracting exe files originally proved to be a popular way of distributing information, it has become deprecated (considered bad practise) in the IT security arena and increasingly are rejected by IT department controls and Windows security systems.

The conclusion is that if you are looking for a method for distributing PDF DRM, self extracting exe files is not the route to go.  You will face pushback from IT departments and Windows, and also from more savvy users.