• Product Information
• Security Products Overview
• Juniper Networks ISG Series
• IDP Demo
• Product Poster & Z-Card 

Title: Microsoft Signed ActiveX Active Setup Vulnerability

Severity: MODERATE

Description:

The Active Setup ActiveX control can be configured to notify the user when a component signed by a trusted vendor is installed. Even when this feature is enabled, when the component in question is signed by Microsoft no notification is provided.

While Microsoft could use this feature to silently install software on a user's machine, there are countless other more subtle ways the operating system itself could do this. The more likely risk in this scenario is that an attacker could cause any Microsoft component with a known weakness to be installed silently on remote computers. The attacker could then attempt to exploit the weakness.

This 'feature' could be exploited remotely via a web page or HTML email.

Affected Products:

• Microsoft Internet Explorer 4.0
• Microsoft Internet Explorer 4.0 for WfW
• Microsoft Internet Explorer 4.0 for Windows 3.1
• Microsoft Internet Explorer 4.0 for Windows 95
• Microsoft Internet Explorer 4.0 for Windows NT 3.51
• Microsoft Internet Explorer 4.0 for Windows NT 4.0
• Microsoft Internet Explorer 4.1 for Windows 95
• Microsoft Internet Explorer 4.1 for Windows 98
• Microsoft Internet Explorer 4.1 for Windows NT 4.0
• Microsoft Internet Explorer 5.0 for Windows 2000
• Microsoft Internet Explorer 5.0 for Windows 95
• Microsoft Internet Explorer 5.0 for Windows 98
• Microsoft Internet Explorer 5.0 for Windows NT 4.0
• Microsoft Internet Explorer 5.0.1
• Microsoft Internet Explorer 5.5 preview
• Microsoft Office 2000
• Microsoft Outlook 2000
• Microsoft Outlook 98
• Microsoft Outlook Express 4.27.3110
• Microsoft Outlook Express 4.72.2106
• Microsoft Outlook Express 4.72.3120
• Microsoft Outlook Express 4.72.3612
• Microsoft Windows 3.11
• Microsoft Windows 95
• Microsoft Windows 98
• Microsoft Windows ME
• Microsoft Windows NT 4.0

References:

• Juan Carlos Garcia Cuartango: Install Engine Demo
• Microsoft: Frequently Asked Questions: Microsoft Security Bulletin (MS00-042)
• Microsoft: Q240797: How to Stop an ActiveX Control from Running in Internet Explorer
• Verisign: Microsoft Authenticode

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.