COMMAND

    activex

SYSTEMS AFFECTED

    IE 4, 5, Outlook Express

PROBLEM

    Juan  Carlos  Garcia  Cuartango  found  following.   There is a MS
    ActiveX component called MS Active Setup, this component delivered
    with  IE  4  and  5   is  intended  to  provide  remote   software
    installation over the Internet.   The component will only  install
    signed software  (authenticated software).   The issue  is:  Under
    regular circumstances  the software  will ask  the user  about the
    software manufacturer  asking him  before start  the installation,
    but if  the software  manufacturer is  Microsoft the  user is  not
    warned and the software will be silently ins talled.  This open  a
    big privacy  hole, MS  is able  to silently  perform any action in
    our Windows  systems whenever  we are  visiting a  WEB page  or by
    opening an e-mail.  Juan has prepared a demo in

        http://www.angelfire.com/ab/juan123/iengine.html

    Active Setup documentation can be found at

        http://msdn.microsoft.com/library/periodic/period98/vbpj0798.htm

    So, someone, not necessarily Microsoft, could use this control  to
    install a Microsoft signed component in your system.  For example,
    they may install a Microsoft component with a known security  hole
    which they could then use to  take control of your computer.   The
    problem is exploitable both via the web (IE) and email (Outlook).

    There is another issue.  MS can silently execute any code in  your
    Windows systems  just using  their signature.   MS has  privileged
    their  code,  even  if  your  IE security setting "Download signed
    ActiveX" is set  to prompt MS  software will be  installed without
    prompting the user.   It seems that MS  has left a back  door that
    will allow them to perform any action in the Windows systems  just
    visiting  a  WEB  page  or  opening  an e-mail message.  Juan have
    prepared a  demo available  on page  above.   This demo  shows the
    diferent  behaviour  of  IE  when  the  ActiveX is signed by MS or
    signed by  others.   This issue  opens a  big security and privacy
    hole, MS  can take  complete control  over our  systems using this
    backdoor.

SOLUTION

    Disable the "Download signed  ActiveX" security option.   But this
    solution will  also forbid  other software  manufacturers to offer
    you  their  software  in  the  clear  way, that is:  asking before
    install.   As  usual,  you  can  also  disable JavaScripting as an
    alternative to the first solution.  Disabling the specific control
    rather than all component download or jscript might be  preferable
    for some folk.

    When Juan found the problem with the DHTML Edit control last year,
    someone from MS intriguingly  mentioned "classid revocation" as  a
    means  to  disable  a  specific  control.   No  one got any useful
    details at the time, but some  info finally surfaced in the MS  KB
    article Q240797.

    Miscorsoft will be modifying the  Active Setup control so that  it
    warns  before  downloading  unless  a  customer  has  specifically
    requested that he not be warned in the future.