mailing list archives
Microsoft signed software can be install software without prompting users
From: aleph1 () SECURITYFOCUS COM (Elias Levy)
Date: Mon, 21 Feb 2000 10:39:38 -0800
Juan asked me to forward this message from him to the list. He has discovered
that an ActiveX control shipped with IE can be used to install software
components signed by Microsoft without prompting the user. This of curse
raises trust issues.
Someone, not necessarily Microsoft, could use this control to install a
Microsoft signed component in your system. For example, they may install
a Microsoft component with a known security hole which they could then use
to take control of your computer. The problem is exploitable both via
the web (IE) and email (Outlook).
Message-ID: <002701bf7abe$86a071e0$647ee381 () home>
From: "Juan Carlos Garcia Cuartango" <cuartango () teleline es>
To: <aleph1 () securityfocus com>
Subject: Software back door
Date: Sat, 19 Feb 2000 10:48:15 +0100
I have found something IMO very serious. Could you post this issue to Bugtraq ?
There is a MS ActiveX component called MS Active Setup, this component delivered with IE 4 and 5 is intended to provide
remote software installation over the Internet. The component will only install signed software (authenticated
The issue is : Under regular circumstances the software will ask the user about the software manufacturer asking him
before start the installation , but if the software manufacturer is Microsoft the user is not warned and the software
will be silently installed.
This open a big privacy hole, MS is able to silently perform any action in our Windows systems whenever we are visiting
a WEB page or by opening an e-mail.
I have prepared a demo in http://www.angelfire.com/ab/juan123/iengine.html
Active Setup documentation can be found at http://msdn.microsoft.com/library/periodic/period98/vbpj0798.htm
----- End forwarded message -----