IE May Allow Component Regression

Reported February 22, 2000 by Juan Carlos Garcia Cuartango
VERSIONS AFFECTED
Internet Explorer 4.x and 5.x

DESCRIPTION

Internet Explorer ships with an ActiveX component called MS Active Setup. The component is shipped with with IE 4.x and 5.x, and is intended to provide remote software installation over the Internet. The component will only install software authenticated with a signature.

Under normal operational circumstances an installation process will inform the user about any authentication signature found within a given package before allowing that software to be installed on a given machine. However, because of Microsoft"s tightly integrated desktop, packages with signatures from Microsoft are not forced to adhere to this normal operational procedure, but instead are allowed to become silently installed without user notification.

Microsoft software packages are given special blind trust treatment by a Windows operating system where the user has absolutely no control over this trust. 

As Juan so adequately points out, this offers the opportunity for Microsoft components to be installed without a user"s direct knowledge. Minimally, an intruder could downgrade software components on a remote machine to older, bug-ridden components that may afford the intruder whatever desired access to that remote machine.

DEMONSTRATION

Juan has prepared a demonstration of this risk on his Web site. In addition, if you"re investigating the technical details of this issue then you may want to review the Active Setup documentation.

VENDOR RESPONSE

Microsoft is aware of this issue, however no comment was available at the time of this writing.

CREDITS
Discovered by Juan Carlos Garcia Cuartango