MSICD.CAB
using the
setup script
MSICD.INF
contained within.
Caveat: Internet Component Download
extracts the contents of downloaded
cabinet
files to unsafe temporary directories
%TMP%\IXP[000-999].TMP\!
The resulting weaknesses are listed as
CWE-377: Insecure Temporary File,
CWE-378: Creation of Temporary File With Insecure Permissions
and
CWE-379: Creation of Temporary File in Directory with Incorrect Permissions
in the
CWE™.
Typical attacks are listed as
CAPEC-27: Leveraging Race Conditions via Symbolic Links
and
CAPEC-29: Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions
in the
CAPEC™.
Note: installation requires administrative
privileges and access rights!
Although the setup script
MSICD.INF
needs no administrative privileges and access
rights for any of its actions,
Internet Component Download requests them to copy the
setup script contained within the downloaded package
MSICD.CAB
at the end of the installation into the directory
"%SystemRoot%\Downloaded Program Files\"
(precisely: the directory which pathname is stored in the last
Registry
entry of the Registry key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ActiveX Cache).
Note: on
Windows Vista® and newer versions of
Windows NT,
the (to say the least) braindead security theatre
named
UAC
interferes with Internet Component Download!
If Internet Explorer elevates the
installation, then windows of processes started from the setup
script(s) are not displayed!
Use the builtin Administrator account for web-based
installations which require administrative privileges (at least if
you want to see the windows of processes started from the setup
script(s)).
Note: Internet Component Download
uses Advanced INF Installer which does not execute
%SystemRoot%\System32\RunOnce.exe
at the end of the installation to read and execute command lines
written to Registry entries in the
Registry keys
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Setup,
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
and
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce.
Use RunPostSetupCommands or
Setup Hooks
sections instead.
%SystemRoot%\SetupAPI.log
(before Windows Vista) or
%SystemRoot%\Inf\SetupAPI.App.log
(since Windows Vista) respectively.
The operations of Advanced INF Installer are (optionally) logged to the file which pathname is stored in the Registry entry
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Advanced INF Setup]
"AdvPackLogFile"="‹path›\\‹filename›.‹extension›"MSICD.CAB is
digitally signed
using an
X.509
certificate
issued by
WEB.DE TrustCenter E-Mail Certification Authority.
-----BEGIN RSA PUBLIC KEY-----
MIGJAoGBAJAyHz5WlYd3Z8fWzE1gcHSM99HuZo5ydm70rL0jP2RusV9wCOJfPp/+
injLW/nqwR9ewtY0fZYQYvLFtOptQe8jNDgfNdeAEcBPSBx/AtMwjOgKLuQi0bhS
P53lQyhxRsPdmqizPxzLKY5NAMvuVkKB0jKMSf2dzOJ7Ln1d9CX7AgMBAAE=
-----END RSA PUBLIC KEY-----Note: unfortunately WEB.DE abandoned their trust center in 2018 and removed all pages and download links in 2019; fortunately the Wayback Machine archived the TrustCenter page, the CA and the root certificate.
Note: due to its counter signature alias timestamp the digital signature remains valid past the X.509 certificates expiration date!
Use the X.509 certificate to send S/MIME encrypted mail.
Note: email in weird format and without a proper sender name is likely to be discarded!
I dislike
HTML (and even
weirder formats too) in email, I prefer to receive plain text.
I also expect to see your full (real) name as sender, not your
nickname.
I abhor top posts and expect inline quotes in replies.
as iswithout any warranty, neither express nor implied.
cookiesin the web browser.
The web service is operated and provided by
Telekom Deutschland GmbH The web service provider stores a session cookie
in the web
browser and records every visit of this web site with the following
data in an access log on their server(s):