MSICD.CABusing the setup script
Caveat: Internet Component Download
extracts the contents of downloaded
files to unsafe temporary directories
The resulting weaknesses are listed as CWE-377: Insecure Temporary File and CWE-379: Creation of Temporary File in Directory with Incorrect Permissions in the CWE™.
Typical attacks are listed as CAPEC-27: Leveraging Race Conditions via Symbolic Links and CAPEC-29: Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions in the CAPEC™.
Note: the installation requires administrative
Although the setup script
needs no administrative privileges for any of its
actions, Internet Component Download requests them to
copy the setup script contained within the downloaded package
at the end of the installation into the directory
"%SystemRoot%\Downloaded Program Files\"
(precisely: the directory which pathname is stored in the last
entry of the Registry key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ActiveX Cache).
Windows Vista® and newer versions of
Windows NT, the (to say the least) braindead
security theatre named
interferes with Internet Component Download!
If Internet Explorer elevates the installation, then windows of processes started from the setup script(s) are not displayed!
Use the builtin
Administrator account for web-based
installations which require administrative privileges (at least if
you want to see the windows of processes started from the setup
Note: Internet Component Download
uses Advanced INF Installer which does not execute
at the end of the installation to read and execute command lines
written to Registry entries in the
%SystemRoot%\SetupAPI.log(before Windows Vista) or
%SystemRoot%\Inf\SetupAPI.App.log(since Windows Vista) respectively.
The operations of Advanced INF Installer are (optionally) logged to the file which pathname is stored in the Registry entry
if this Registry entry exists.
REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Advanced INF Setup] "AdvPackLogFile"="‹path›\\‹filename›.‹extension›"
MSICD.CABis digitally signed using an X.509 certificate issued by WEB.DE TrustCenter E-Mail Certification Authority.
Download and install the CA and root X.509 certificates of WEB.DE to validate and verify the digital signature.
-----BEGIN RSA PUBLIC KEY----- MIGJAoGBAJAyHz5WlYd3Z8fWzE1gcHSM99HuZo5ydm70rL0jP2RusV9wCOJfPp/+ injLW/nqwR9ewtY0fZYQYvLFtOptQe8jNDgfNdeAEcBPSBx/AtMwjOgKLuQi0bhS P53lQyhxRsPdmqizPxzLKY5NAMvuVkKB0jKMSf2dzOJ7Ln1d9CX7AgMBAAE= -----END RSA PUBLIC KEY-----
Note: due to its counter signature alias timestamp the digital signature remains valid past the X.509 certificates expiration date!
Use the X.509 certificate to send S/MIME encrypted mail.
Note: email in weird format and without a proper sender name is likely to be discarded!
HTML (and even
weirder formats too) in email, I prefer to receive plain text.
I also expect to see your full (real) name as sender, not your nickname.
I abhor top posts and expect inline quotes in replies.
as iswithout any warranty, neither express nor implied.
cookiesin the web browser.
The web service is operated and provided byTelekom Deutschland GmbH
The web service provider stores a
session cookie in the web
browser and records every visit of this web site with the following
data in an access log on their server(s):