The Active Setup Control enables .cab files to be downloaded to a user's computer as part of the installation process for software updates. However, the control has the following two flaws:
- All Microsoft-signed .cab files are treated as trusted, which enables them to be installed without asking the user's approval.
- Provides a method by which the caller can specify a download location on the user's hard disk.
In combination, these two flaws could enable a malicious Web site operator to download a Microsoft-signed .cab file as a means of overwriting a file on a user's computer. By overwriting system files, this could enable the malicious user to make the computer unusable.
NOTE: There is no capability through this vulnerability to actually install the software that has been downloaded; the vulnerability only enables files to be overwritten in a denial of service attack. System File Protection in Windows 2000 would prevent an attack like this one from being used to overwrite system files.
Patch Availability
This patch is currently available for Internet Explorer 4.01 SP2 and 5.01, and 5.01 SP1 at the following Microsoft Web site:
This patch is currently available for Internet Explorer 5.5 at
the following Microsoft Web site:
NOTE: This update may not appear on the Microsoft Windows Update Web site, or you may receive the following message when you are installing this update from the Microsoft.com Web site:
This update does not need to be installed on this system.
Updates are currently available only for Internet Explorer 4.01 SP2, 5.01, 5.01 SP1, and 5.5.
For additional information about how to determine which version of Internet Explorer is installed, click the article number below
to view the article in the Microsoft Knowledge Base:
164539�
How to Determine Which Version of Internet Explorer Is Installed
Update Information by Product
To update information by product, follow these steps:
- Install the patch from the following link:
- On the Help menu, click About Internet Explorer, and then the Q-article Q265258 is displayed on the Update Versions line.
- Install the patch from the following link:
- On the Help menu, click About Internet Explorer, and then the Q-article Q269368 is displayed on the Update Versions line.
Internet Explorer 5.01 SP1 for Windows 95, Windows 98, Windows 98 Second Edition, Windows NT 4.0, and Windows 2000
Update File Name: Q265258.exe
Description: Internet Explorer Security Update, June 19, 2000
Availability:
File name Size Date Time Version
------------------------------------------------------------
Asctrls.ocx 109,328 08/01/2000 04:56:04pm 5.00.3207.2800
Internet Explorer 4.01 SP2 for Windows 95, Windows 98, and Windows NT 4.0 (Intel)
Update File Name: Q265258.exe
Description: Internet Explorer Security Update, June 19, 2000
Availability:
File name Size Date Time Version
------------------------------------------------------------
Asctrls.ocx 91,536 06/14/2000 2:29:12pm 4.72.3718.1400
Windows 2000 (all versions) and Internet Explorer 5.01 for Windows 95, Windows 98, Windows 98 Second Edition, and Windows NT 4.0
Update File Name: Q265258.exe
Description: Internet Explorer Security Update, June 19, 2000
Availability:
File name Size Date Time Version
------------------------------------------------------------
Asctrls.ocx 109,328 06/09/2000 11:13:26am 5.0.3018.900
Internet Explorer 5.5 for Windows 95, Windows 98, Windows 98 Second Edition, Windows NT 4.0, and Windows 2000
Update File Name: Q269368.exe
Description: Security Update, August 9, 2000
Availability:
File name Size Date Time Version
------------------------------------------------------------
Asctrls.ocx 110,864 07/28/2000 02:16:40pm 5.50.4207.2600
Mshtml.dll 2,744,592 07/28/2000 03:25:48pm 5.50.4207.2601
NOTE: In addition to the vulnerability discussed in this article, the Internet Explorer 5.5 version of this patch also eliminates the vulnerability discussed at the following Microsoft Web site: