Microsoft signed software can be install software without prompting users

[aleph1 () SECURITYFOCUS COM (Elias Levy)]

Juan asked me to forward this message from him to the list. He has discovered
that an ActiveX control shipped with IE can be used to install software
components signed by Microsoft without prompting the user. This of curse
raises trust issues.

Someone, not necessarily Microsoft, could use this control to install a
Microsoft signed component in your system. For example, they may install
a Microsoft component with a known security hole which they could then use
to take control of your computer. The problem is exploitable both via
the web (IE) and email (Outlook).

Message-ID: <002701bf7abe$86a071e0$647ee381@home>
From: "Juan Carlos Garcia Cuartango" <cuartango () teleline es>
To: <aleph1 () securityfocus com>
Subject: Software back door
Date: Sat, 19 Feb 2000 10:48:15 +0100

Elias,
I have found something IMO very serious.  Could you post this issue to Bugtraq ?

There is a MS ActiveX component called MS Active Setup, this component delivered with IE 4 and 5 is intended to provide 
remote software installation over the Internet. The component will only install signed software (authenticated 
software).
The issue is : Under regular circumstances the software will ask the user about the software manufacturer asking him 
before start the installation , but if the software manufacturer is Microsoft the user is not warned and the software 
will be silently installed.
This open a big privacy hole, MS is able to silently perform any action in our Windows systems whenever we are visiting 
a WEB page or by opening an e-mail.
I have prepared a demo in http://www.angelfire.com/ab/juan123/iengine.html
Active Setup documentation can be found at http://msdn.microsoft.com/library/periodic/period98/vbpj0798.htm
Regards,
Juan

----- End forwarded message -----

--
Elias Levy
SecurityFocus.com
http://www.securityfocus.com/