We announce two different Win32 executable files with different functionality but identical MD5 hash values. This shows that trust in MD5 as a tool for verifying software integrity, and as a hash function used in code signing, has become questionable. Software is vulnerable to threats on its integrity. For example, when a program is made available as an executable file on the web for downloading,