COMMAND

    IE

SYSTEMS AFFECTED

    Microsoft Internet Explorer 4.0, 4.1, 5.0, 5.1

PROBLEM

    Juan Carlos Garcia  Cuartango found following.   The Active  Setup
    Control allows .cab  files to be  downloaded to a  user's computer
    as  part   of  the  installation  process  for  software  updates.
    However,  the  control  has  two  flaws.   First,  it  treats  all
    Microsoft-signed .cab files as  trusted, thereby allowing them  to
    be  installed  without  asking  the  user's  approval.  Second, it
    provides  a  method  by  which  the  caller can specify a download
    location on  the user's  hard drive.   In combination,  these  two
    flaws would  allow a  malicious web  site operator  to download  a
    Microsoft-signed .cab  file as  a means  of overwriting  a file on
    the user's machine.  By overwriting system files, this could allow
    the malicious user to render the machine unusable.

    It  is  important  to  note  that  there is no capability via this
    vulnerability  to  actually  install  the  software  that has been
    downloaded  -   the  vulnerability   only  allows   files  to   be
    overwritten,  in  a  denial   of  service  attack.   System   File
    Protection in Windows 2000 would  prevent an attack like this  one
    from being used to overwrite system files.

SOLUTION

    Patch availability:

        http://www.microsoft.com/windows/ie/download/critical/patch8.htm

    The patches require IE 4.01 Service Pack 2 or IE 5.01 to  install.
    Customers  using  versions  prior  to  these may receive a message
    reading  "This  update  does  not  need  to  be  installed on this
    system".   This  message  is   incorrect.   More  information   is
    available in KB article Q265258.