Internet Component Download Valid HTML 4.01 Transitional Valid CSS Valid SVG 1.0

Me, myself & IT

Internet Component Download

Purpose

This web page demonstrates Windows'® Internet Component Download, typically used to download and install ActiveX controls.

Operation

If visited with Internet Explorer, this web page will prompt to install (the contents of) the package MSICD.CAB using the setup script MSICD.INF contained within.

Caveat: Internet Component Download extracts the contents of downloaded cabinet files to unsafe temporary directories %TEMP%\IXP[000-999].TMP\!
The resulting weaknesses are listed as CWE-377: Insecure Temporary File and CWE-379: Creation of Temporary File in Directory with Incorrect Permissions in the CWE.
Typical attacks are listed as CAPEC-27: Leveraging Race Conditions via Symbolic Links and CAPEC-29: Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions in the CAPEC.

Note: the installation requires administrative privileges!
Although the setup script MSICD.INF needs no administrative privileges for any of its actions, Internet Component Download requests them to copy the setup script contained within the downloaded package MSICD.CAB at the end of the installation into the directory "%SystemRoot%\Downloaded Program Files\" (precisely: the directory which pathname is stored in the last Registry entry of the Registry key [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ActiveX Cache]).

Note: on Windows Vista and newer versions of Windows NT, the (to say the least) braindead security theatre named UAC interferes with Internet Component Download!
If Internet Explorer elevates the installation then windows of processes started from the setup script(s) are not displayed!
Use the builtin Administrator account for web-based installations which require administrative privileges (at least if you want to see the windows of processes started from the setup script(s)).

Note: Internet Component Download uses Advanced INF Installer which does not execute %SystemRoot%\System32\RunOnce.exe at the end of the installation to read and execute command lines written to Registry entries in the Registry keys
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Setup],
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] and
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce].
Use RunPostSetupCommands or Setup Hooks sections instead.

Background information

The operations of the setup script are logged to the file %SystemRoot%\SetupAPI.log (before Windows Vista) or %SystemRoot%\Inf\SetupAPI.App.log (since Windows Vista) respectively.
For additional information see the MSDN articles Setting SetupAPI Logging Levels and SetupAPI Logging Registry Settings.

The operations of Advanced INF Installer are (optionally) logged to the file which pathname is stored in the Registry entry

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Advanced INF Setup]
"AdvPackLogFile"="…"
if this Registry entry exists.

Code authenticity and integrity

The (compressed) cabinet file MSICD.CAB is digitally signed using an X.509 certificate issued by WEB.DE TrustCenter E-Mail Certification Authority.
Serial number
73156798
0x045C48BE
Fingerprint
MD5: fc ee 8c 63 1d 27 05 a6 84 4c 1a 3e 73 47 9a b0
SHA-1: ce 24 2d a2 6b d9 7c 64 1e 8d bc 6c 70 58 32 1f 99 ab 1a be
-----BEGIN RSA PUBLIC KEY-----
MIGJAoGBAJAyHz5WlYd3Z8fWzE1gcHSM99HuZo5ydm70rL0jP2RusV9wCOJfPp/+
injLW/nqwR9ewtY0fZYQYvLFtOptQe8jNDgfNdeAEcBPSBx/AtMwjOgKLuQi0bhS
P53lQyhxRsPdmqizPxzLKY5NAMvuVkKB0jKMSf2dzOJ7Ln1d9CX7AgMBAAE=
-----END RSA PUBLIC KEY-----
Download and install the CA and root X.509 certificates of WEB.DE to validate and verify the digital signature.

Note: due to its counter signature alias timestamp the digital signature remains valid past the X.509 certificates expiration date!

Contact

If you miss anything here, have additions, comments, corrections, criticism or questions, want to give feedback, hints or tipps, report broken links, bugs, errors, inaccuracies, omissions, vulnerabilities or weaknesses, …:
don't hesitate to contact me and feel free to ask, comment, criticise, flame, notify or report!

Use the X.509 certificate to send S/MIME encrypted mail.

Notes: I dislike HTML (and even weirder formats too) in email, I prefer to receive plain text.
I also expect to see a full (real) name as sender, not a nickname!
Emails in weird formats and without a proper sender name are likely to be discarded.
I abhor top posts and expect inline quotes in replies.

Terms and conditions

By using this site, you signify your agreement to these terms and conditions. If you do not agree to these terms and conditions, do not use this site!
Copyright © 1995-2017 • Stefan Kanthak • <‍skanthak‍@‍nexgo‍.‍de‍>