“MS Active Setup, an ActiveX component delivered with IE 4 and
5, is intended to provide remote software installation over the
Internet. Active Setup will only install signed (authenticated)
software, and will normally prompt the user to approve or
disapprove the manufacturer signing the software before installing
it. In the case of software manufactured by Microsoft, however, the
user is not prompted and the software is silently installed.”
“This opens a significant privacy hole, says Bugtraq’s Elias
Levy. ‘Someone, not necessarily Microsoft, could use this control
to install a Microsoft-signed component in your system. For
example, they may install a Microsoft component with a known
security hole which they could then use to take control of your
computer.’ For users of Windows systems, visiting a Web page using
IE or opening an email using Outlook is all it takes to allow such
a back door to be installed without the user’s knowledge, notes
Levy.”
” ‘The real issue is not that anybody can install IE
components,’ adds Juan Carlos Garcia Cuartango, the discoverer of
the problem. ‘The issue is that Microsoft can execute arbitrary
code in our systems just by signing it. Microsoft has a software
backdoor in the systems of all users of IE and
Outlook.’ “