• CVSS Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings • CPE Information
The Microsoft Active Setup ActiveX component in Internet Explorer 4.x and 5.x allows a remote attacker to install software components without prompting the user by stating that the software's manufacturer is Microsoft.
Note: References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.
Assigning CNA
MITRE Corporation
Date Record Created
20000223 Disclaimer: The record creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.
Phase (Legacy)
Modified (20000321)
Votes (Legacy)
ACCEPT(4) Baker, LeBlanc, Levy, Wall
MODIFY(1) Frech
NOOP(1) Cole
REVIEWING(1) Christey
Comments (Legacy)
 Christey> In a followup to Bugtraq, Juan Carlos Cuartango makes some
   clarifications, specifically that the code that is executed
   *must* be signed by Microsoft.
   See BUGTRAQ:20000222 MS signed softwrare privileges
   Microsoft sends some followups, including a statement that it
   will include notification.
   The question is, does this belong in CVE?  There is no known
   means of exploitation; on the other hand, it is related
   to privacy concerns.  Several posts to the Bugtraq list
   indicate that some people believe that unprompted installation
   is a significant concern.
 Frech> XF:win-active-setup
 Levy> BID 999
   I do consider this vulnerability as it allows a malicious web page
   to install *old* and *vulnerable* components signed by microsoft.
 LeBlanc> Fixed in MS00-042
 Christey> BID:999
   Also add XF:ie-active-setup-download ?

Proposed (Legacy)
This is a record on the CVE List, which provides common identifiers for publicly known cybersecurity vulnerabilities.