IE May Allow Component Regression

IE May Allow Component Regression

Reported February 22, 2000 by Juan Carlos Garcia Cuartango
Internet Explorer 4.x and 5.x


Internet Explorer ships with an ActiveX component called MS Active Setup. The component is shipped with with IE 4.x and 5.x, and is intended to provide remote software installation over the Internet. The component will only install software authenticated with a signature.

Under normal operational circumstances an installation process will inform the user about any authentication signature found within a given package before allowing that software to be installed on a given machine. However, because of Microsoft"s tightly integrated desktop, packages with signatures from Microsoft are not forced to adhere to this normal operational procedure, but instead are allowed to become silently installed without user notification.

Microsoft software packages are given special blind trust treatment by a Windows operating system where the user has absolutely no control over this trust. 

As Juan so adequately points out, this offers the opportunity for Microsoft components to be installed without a user"s direct knowledge. Minimally, an intruder could downgrade software components on a remote machine to older, bug-ridden components that may afford the intruder whatever desired access to that remote machine.


Juan has prepared a demonstration of this risk on his Web site. In addition, if you"re investigating the technical details of this issue then you may want to review the Active Setup documentation.


Microsoft is aware of this issue, however no comment was available at the time of this writing.

Discovered by Juan Carlos Garcia Cuartango

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.