Skip to main content

Microsoft Policies on Software Distribution

An important key to safe computing is to never use software from unknown sources. As pointed out in a CERT advisory, malicious users often use "Trojan Horses" to deliver harmful software onto unwary users' computers. A Trojan Horse is a piece of software that appears to do something useful, but which actually performs hidden, usually damaging, action on the user's computer. For example, a malicious user might develop a game program that deliberately erases files on the user's computer while it runs, and distribute it via a web site.

Another Trojan Horse mechanism that is frequently used is to send malicious software to users via e-mail, claiming that it is a product upgrade from a software vendor. Recently, several people have done this, sending e-mails that contain software attachments to wide audiences on the Internet. The e-mails claim that the attachments are product upgrades from Microsoft or other software vendors, but in fact they are harmful software that may damage the user's software and files when they run the attachments.

Microsoft never distributes software directly via e-mail.

  • We distribute software on physical media like CD ROMs and floppy disks.
  • We distribute upgrades via the Internet. When we do this, the software will be available via our web site, http://www.microsoft.com, or through http://www.microsoft.com/downloads/.
  • We occasionally send e-mail to customers to inform them that upgrades are available. However, the e-mail will only provide links to the download sites -- we will never attach the software itself to the e-mail. The links will always lead to either our web site or our FTP site, never to a third-party site.
  • We always use Authenticode to digitally sign our products and allow you to ensure that they have not been tampered with.

If you receive an e-mail that claims to contain software from Microsoft, do not run the attachment. The safest course of action is to delete the mail altogether. If you would like to take additional action, report the e-mail to the sender's Internet Service Provider. Most ISPs provide an "abuse" userid for this purpose.