CVE

Id
1738  
CVE No.
CVE-2000-0160  
Status
Candidate  
Description
The Microsoft Active Setup ActiveX component in Internet Explorer 4.x and 5.x allows a remote attacker to install software components without prompting the user by stating that the software"s manufacturer is Microsoft.  
Phase
Modified (20000321-01)  
Votes
ACCEPT(4) Baker, LeBlanc, Levy, Wall | MODIFY(1) Frech | NOOP(1) Cole | REVIEWING(1) Christey  
Comments
Christey> In a followup to Bugtraq, Juan Carlos Cuartango makes some | clarifications, specifically that the code that is executed | *must* be signed by Microsoft. | | See BUGTRAQ:20000222 MS signed softwrare privileges | | Microsoft sends some followups, including a statement that it | will include notification. | | The question is, does this belong in CVE? There is no known | means of exploitation; on the other hand, it is related | to privacy concerns. Several posts to the Bugtraq list | indicate that some people believe that unprompted installation | is a significant concern. | Frech> XF:win-active-setup | Levy> BID 999 | | I do consider this vulnerability as it allows a malicious web page | to install *old* and *vulnerable* components signed by microsoft. | LeBlanc> Fixed in MS00-042 | Christey> BID:999 | Also add XF:ie-active-setup-download ?  

Actions

Related CVE References

Id CVE Id CVE No. Reference Actions
5413 1738 CVE-2000-0160 BUGTRAQ:20000221 Microsoft signed software can be install software without prompting users  View
5414 1738 CVE-2000-0160 URL:http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-02-15&msg=20000221103938.T21312@securityfocus.com  View

Related JVN