Description

Brief summary: The active setup control in Internet Explorer allows immediate execution of trusted downloads, and allows them to be stored at locations specified by the downloader, rather than the installer.

Detailed description: Internet Explorer's Active Setup control treats Microsoft-signed downloads differently than other downloads. With all digitally-signed downloads except those from Microsoft, Explorer identifies the signer and asks if the user wants to continue. This is not done for Microsoft-signed downloads. Further, the user is asked where he or she would like to store the download, and the user may specify a file or directory.

Suppose a Windows NT system mounts its data from a central server to which the Internet Explorer has access (either because it runs on the server or, more likely, shares the same volumes). The IE user downloads some Microsoft-signed package and specifies that it is to be saved in a location that overwrites key files on the server. This denies other users access to the files overwritten.

Components: Internet Explorer 5.5 and earlier, even with service packs

Operating system(s): Windows NT 4.0, all versions; Windows 2000, all versionsThe Internet Explorer user can overwrite files on disk.

How to detect:

1. Check your version of Internet Explorer. Apply the patch for the following (or earlier) versions of Internet Explorer: IE 4.01 SP2, version 4.72.3612.1713; IE 5.01 on Windows NT, version 5.0.2919.6307; IE 5.01 on Windows 2000, version 5.00.2920.0000; IE 5.01 SP1, version 5.00.3105.0106; IE 5.5, version 5.50.4134.0600

How to fix:

1. Install the patch
   1. Be sure you are running Internet Explorer 4.01 SP2 or Internet Explorer 5.01 or later. The patch requires this to install.
   2. Download the patch for your version of Outlook or Outlook Express and install it.
2. Configure Outlook to use MAPI only. This eliminates the vulnerability.
3. If you are using any system other than Windows 2000, install Internet Explorer 5.01 SP1 or Internet Explorer 5.5. This eliminates the vulnerability.
4. If you are using Windows 2000, install Windows 2000 SP1.

Other information:

Keywords

Cataloguing Information

PA Classification:

RISOS Classification:

Davis Classification:

Common Vulnerability Exposure: The Microsoft Active Setup ActiveX component in Internet Explorer 4.x and 5.x allows a remote attacker to install software components without prompting the user by stating that the software's manufacturer is Microsoft. [CAN-2000-0160]

Exploits

Attacks: See Doves exploit #107

Related Information

Advisories:

• Microsoft Security Bulletin MS00-042, Patch Available for "Active Setup Download" Vulnerability ;
• Security Focus letter from Elias Levy forwarding vulnerability

History

Who reported it: USSR Labs in Bugtraq on July 5, 2000: independentlydiscovered the problem and reported it to Microsoft; Aaron Drew in Bugtraq on July 18, 2000: independently discovered the problem

Revision #1

1. Matt Bishop on 8/1/2000
   Initial entry

Dove images © 1999-2000 www.barrysclipart.com