microsoft-install.txt

`Juan asked me to forward this message from him to the list. He has discovered  
that an ActiveX control shipped with IE can be used to install software  
components signed by Microsoft without prompting the user. This of curse  
raises trust issues.  
  
Someone, not necessarily Microsoft, could use this control to install a  
Microsoft signed component in your system. For example, they may install  
a Microsoft component with a known security hole which they could then use  
to take control of your computer. The problem is exploitable both via  
the web (IE) and email (Outlook).  
  
Message-ID: <002701bf7abe$86a071e0$647ee381@home>  
From: "Juan Carlos Garcia Cuartango" <[email protected]>  
To: <[email protected]>  
Subject: Software back door  
Date: Sat, 19 Feb 2000 10:48:15 +0100  
  
Elias,  
I have found something IMO very serious. Could you post this issue to Bugtraq ?  
  
There is a MS ActiveX component called MS Active Setup, this component delivered with IE 4 and 5 is intended to provide remote software installation over the Internet. The component will only install signed software (authenticated software).  
The issue is : Under regular circumstances the software will ask the user about the software manufacturer asking him before start the installation , but if the software manufacturer is Microsoft the user is not warned and the software will be silently installed.  
This open a big privacy hole, MS is able to silently perform any action in our Windows systems whenever we are visiting a WEB page or by opening an e-mail.  
I have prepared a demo in http://www.angelfire.com/ab/juan123/iengine.html  
Active Setup documentation can be found at http://msdn.microsoft.com/library/periodic/period98/vbpj0798.htm  
Regards,  
Juan  
  
----- End forwarded message -----  
  
--  
Elias Levy  
SecurityFocus.com  
http://www.securityfocus.com/  
  
  
`