A new security issue has been reported in Internet Explorer.

This issue affects all versions of the browser from version 4.0 including version 5.01.

The problem has to do with the fact that an ActiveX control - the Active Setup Control which is included in Internet Explorer - allows:

• Downloading of .CAB files signed by Microsoft without asking the user for confirmation if he/she wants to download the file. .CAB files are Cabinet files - (a) file(s) compressed into one file used for installation of programs.
• Specifying where on the local disk these files should be downloaded

A malicious creator of web pages may then specify that a Microsoft .CAB file should be downloaded to the computer of a surfers visiting that page and overwriting e.g. system files on that computer. She may thus make the surfer's computer unusable and e.g. the operating system has to be reinstalled.

Fortunately this vulnerability does not enable remote installation of malicious programs, only downloading of .CAB files which may overwrite crucial files. Microsoft describes the vulnerability as a potential Denial of Service attack.

A patch for this vulnerability is available from Microsoft. Follow this link. Note that you must have either Internet Explorer version 4.01, Service Pack 2, or Internet Explorer version 5.01 installed for the patch to install correctly.

This patch changes the Active Setup Control in such a way that it treats files signed by Microsoft like files signed from any other vendor (i.e. the users are asked for confirmation before the download starts), and it removes the option of specifying where the file is going to be downloaded (i.e. it downloads to a standard location).

More information about this security vulnerability in Internet Explorer is available from Microsoft by following the links below:

• Microsoft Security Bulletin MS00-042
• Frequently asked questions about MS00-042

Per Olav Førland