Active setup download

DOVES Vulnerability V-00106

DOVES Project
Computer Security Laboratory
Department of Computer Science
University of California at Davis

Description

Brief summary: The active setup control in Internet Expllorer allows immediate execution of trusted downloads, and allows them to be stored at locations specified by the downloader, rather than the installer.

Detailed description: Internet Explorer's Active Setup control treats Microsoft-signed downloads differently than other downloads. With all digitally-signed downloads except those from Microsoft, Explorer identifies the signer and asks if the user wants to continue. This is not done for Microsoft-signed downloads. Further, the user is asked where he or she would like to store the download, and the user may specify a file or directory.

Suppose a Windows NT system mounts its data from a central server to which the Internet Explorer has access (either because it runs on the server or, more likely, shares the same volumes). The IE user downloads some Microsoft-signed package and specifies that it is to be saved in a location that overwrites key files on the server. This denies other users access to the files overwritten.

Components: Internet Explorer 5.5 and earlier, even with service packs

Operating system(s): Windows NT 4.0, all versions; Windows 2000, all versionsThe Internet Explorer user can overwrite files on disk.

How to detect:

Check your version of Internet Explorer. Apply the patch for the following (or earlier) versions of Internet Explorer: IE 4.01 SP2, version 4.72.3612.1713; IE 5.01 on Windows NT, version 5.0.2919.6307; IE 5.01 on Windows 2000, version 5.00.2920.0000; IE 5.01 SP1, version 5.00.3105.0106; IE 5.5, version 5.50.4134.0600

How to fix:

Download the patch for your version of Internet Explorer and install it.

Other information:

Keywords

mobile code, save, overwrite web browser

Cataloguing Information

PA Classification:

RISOS Classification:

Davis Classification:

Common Vulnerability Exposure: The Microsoft Active Setup ActiveX component in Internet Explorer 4.x and 5.x allows a remote attacker to install software components without prompting the user by stating that the software's manufacturer is Microsoft. [CAN-2000-0160]

Exploits

Attacks: See Doves exploit #106

Related Information

Microsoft Knowledge Base article Q265258, Patch Available for "Active Setup Download" Vulnerability in Internet Explorer

Advisories:

Microsoft Security Bulletin MS00-042, Patch Available for "Active Setup Download" Vulnerability ;
Security Focus letter from Elias Levy forwarding vulnerability

History

Who reported it: Juan Carlos Garcia Cuartango in Bugtraq on Feb. 19, 2000: reported the problem and gave an exploit

Revision #1

Matt Bishop on 7/31/2000
Initial entry

Send email to doves@cs.ucdavis.edu

Department of Computer Science
University of California at Davis
One Shields Ave.
Davis, CA 95616-8562

Page created August 28, 2000 at 16:41:46 GMT