Phase:The Microsoft Active Setup ActiveX component in Internet Explorer 4.x and 5.x allows a remote attacker to install software components without prompting the user by stating that the software's manufacturer is Microsoft.
ReferencesBUGTRAQ:Monday, February 21, 2000 Microsoft signed software can be install software without prompting users | URL:http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-02-15&msg=Monday, February 21, 2000103938.T21312@securityfocus.com | XF:win-active-setup
Votes:Modified (Tuesday, March 21, 2000-01)
Comments: ACCEPT(4) LeBlanc, Wall, Baker, Levy | MODIFY(1) Frech | NOOP(1) Cole | REVIEWING(1) Christey
F7: Christey> In a followup to Bugtraq, Juan Carlos Cuartango makes some | clarifications, specifically that the code that is executed | *must* be signed by Microsoft. | | See BUGTRAQ:20000222 MS signed softwrare privileges | | Microsoft sends some followups, including a statement that it | will include notification. | | The question is, does this belong in CVE? There is no known | means of exploitation; on the other hand, it is related | to privacy concerns. Several posts to the Bugtraq list | indicate that some people believe that unprompted installation | is a significant concern. | Frech> XF:win-active-setup | Levy> BID 999 | | I do consider this vulnerability as it allows a malicious web page | to install *old* and *vulnerable* components signed by microsoft. | LeBlanc> Fixed in MS00-042 | Christey> BID:999 | Also add XF:ie-active-setup-download ?