MSICD.CABusing the setup script
Caveat: Internet Component Download
extracts the contents of downloaded
files to unsafe temporary directories
The resulting weaknesses are listed as CWE-377: Insecure Temporary File and CWE-379: Creation of Temporary File in Directory with Incorrect Permissions in the CWE™.
Typical attacks are listed as CAPEC-27: Leveraging Race Conditions via Symbolic Links and CAPEC-29: Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions in the CAPEC™.
Note: the installation requires administrative
Although the setup script
needs no administrative privileges for any of its
actions, Internet Component Download requests them to
copy the setup script contained within the downloaded package
at the end of the installation into the directory
"%SystemRoot%\Downloaded Program Files\"
(precisely: the directory which pathname is stored in the last
entry of the Registry key
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ActiveX Cache]).
Note: on Windows Vista and newer
versions of Windows NT, the (to say the least)
security theatre named
interferes with Internet Component Download!
If Internet Explorer elevates the installation then windows of processes started from the setup script(s) are not displayed!
Use the builtin
Administrator account for web-based
installations which require administrative privileges (at least if
you want to see the windows of processes started from the setup
Note: Internet Component Download
uses Advanced INF Installer which does not execute
at the end of the installation to read and execute command lines
written to Registry entries in the
%SystemRoot%\SetupAPI.log(before Windows Vista) or
%SystemRoot%\Inf\SetupAPI.App.log(since Windows Vista) respectively.
The operations of Advanced INF Installer are (optionally) logged to the file which pathname is stored in the Registry entry
if this Registry entry exists.
REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Advanced INF Setup] "AdvPackLogFile"="…"
MSICD.CABis digitally signed using an X.509 certificate issued by WEB.DE TrustCenter E-Mail Certification Authority.
Download and install the CA and root X.509 certificates of WEB.DE to validate and verify the digital signature.
-----BEGIN RSA PUBLIC KEY----- MIGJAoGBAJAyHz5WlYd3Z8fWzE1gcHSM99HuZo5ydm70rL0jP2RusV9wCOJfPp/+ injLW/nqwR9ewtY0fZYQYvLFtOptQe8jNDgfNdeAEcBPSBx/AtMwjOgKLuQi0bhS P53lQyhxRsPdmqizPxzLKY5NAMvuVkKB0jKMSf2dzOJ7Ln1d9CX7AgMBAAE= -----END RSA PUBLIC KEY-----
Note: due to its counter signature alias timestamp the digital signature remains valid past the X.509 certificates expiration date!
Use the X.509 certificate to send S/MIME encrypted mail.
Notes: I dislike
even weirder formats too) in email, I prefer to receive plain text.
I also expect to see a full (real) name as sender, not a nickname!
Emails in weird formats and without a proper sender name are likely to be discarded.
I abhor top posts and expect inline quotes in replies.
as iswithout any warranty, neither express nor implied.