Juan asked me to forward this message from him to the list. He has discovered that an ActiveX control shipped with IE can be used to install software components signed by Microsoft without prompting the user. This of curse raises trust issues. Someone, not necessarily Microsoft, could use this control to install a Microsoft signed component in your system. For example, they may install a Microsoft component with a known security hole which they could then use to take control of your computer. The problem is exploitable both via the web (IE) and email (Outlook). Message-ID: <002701bf7abe$86a071e0$647ee381@home> From: "Juan Carlos Garcia Cuartango" To: Subject: Software back door Date: Sat, 19 Feb 2000 10:48:15 +0100 Elias, I have found something IMO very serious. Could you post this issue to Bugtraq ? There is a MS ActiveX component called MS Active Setup, this component delivered with IE 4 and 5 is intended to provide remote software installation over the Internet. The component will only install signed software (authenticated software). The issue is : Under regular circumstances the software will ask the user about the software manufacturer asking him before start the installation , but if the software manufacturer is Microsoft the user is not warned and the software will be silently installed. This open a big privacy hole, MS is able to silently perform any action in our Windows systems whenever we are visiting a WEB page or by opening an e-mail. I have prepared a demo in http://www.angelfire.com/ab/juan123/iengine.html Active Setup documentation can be found at http://msdn.microsoft.com/library/periodic/period98/vbpj0798.htm Regards, Juan ----- End forwarded message ----- -- Elias Levy SecurityFocus.com http://www.securityfocus.com/