Active Setup Download Vulnerability

A security vulnerability exists in an ActiveX control that ships with Microsoft® Internet Explorer which could be used to overwrite files on the computer of a user who visited a malicious web site operator's site.

Issue

The Active Setup Control allows .cab files to be downloaded to a user's computer as part of the installation process for software updates. However, the control has two flaws. First, it treats all Microsoft-signed .cab files as trusted, thereby allowing them to be installed without asking the user's approval. Second, it provides a method by which the caller can specify a download location on the user's hard drive. In combination, these two flaws would allow a malicious web site operator to download a Microsoft-signed .cab file as a means of overwriting a file on the user's machine. By overwriting system files, this could allow the malicious user to render the machine unusable.

It is important to note that there is no capability via this vulnerability to actually install the software that has been downloaded - the vulnerability only allows files to be overwritten, in a denial of service attack. System File Protection in Windows 2000 would prevent an attack like this one from being used to overwrite system files.

Affected Products

• Microsoft Internet Explorer 4.x & 5.x

Solution

Software patches can be downloaded from the locations below:

• Internet Explorer 4.01 SP2, Internet Explorer 5.01, or Internet Explorer 5.01 SP1:
  
• http://www.microsoft.com/windows/ie/download/critical/patch8.htm
• Internet Explorer 5.5:
  http://www.microsoft.com/windows/ie/download/critical/patch11.htm

Further Details

Source: Microsoft Corporation

Reference: Microsoft Corporation

Updated: August 9, 2000

>> Recommended Download - secure your PC from spyware, adware and malware now with Spyware Doctor <<