Internet Component Download

Me, myself & IT

Internet Component Download

Purpose
Operation
Background Information
Authenticity and Integrity

Purpose

This web page demonstrates Windows’^™ Internet Component Download, typically used to download and install ActiveX controls.

Operation

When visited with Internet Explorer, this web page will prompt to install (the contents of) the package MSICD.CAB using the setup script MSICD.INF contained within.

Caveat: Internet Component Download extracts the contents of downloaded cabinet files to unsafe temporary directories %TMP%\IXP[000-999].TMP\!
The resulting weaknesses are listed as CWE-377: Insecure Temporary File, CWE-378: Creation of Temporary File With Insecure Permissions and CWE-379: Creation of Temporary File in Directory with Incorrect Permissions in the CWE^™.
Typical attacks are listed as CAPEC-27: Leveraging Race Conditions via Symbolic Links and CAPEC-29: Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions in the CAPEC^™.

Note: installation requires administrative privileges and access rights!
Although the setup script MSICD.INF needs no administrative privileges and access rights for any of its actions, Internet Component Download requests them to copy the setup script contained within the downloaded package MSICD.CAB at the end of the installation into the directory "%SystemRoot%\Downloaded Program Files\" (precisely: the directory which pathname is stored in the last Registry entry of the Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ActiveX Cache).

Note: on Windows Vista^® and newer versions of Windows NT, the (to say the least) braindead security theatre named UAC interferes with Internet Component Download!
If Internet Explorer elevates the installation, then windows of processes started from the setup script(s) are not displayed!
Use the builtin Administrator account for web-based installations which require administrative privileges (at least if you want to see the windows of processes started from the setup script(s)).

Note: Internet Component Download uses Advanced INF Installer which does not execute %SystemRoot%\System32\RunOnce.exe at the end of the installation to read and execute command lines written to Registry entries in the Registry keys
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Setup,
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce and
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce.
Use RunPostSetupCommands or Setup Hooks sections instead.

Background Information

The operations of the setup script are logged to the file %SystemRoot%\SetupAPI.log (before Windows Vista) or %SystemRoot%\Inf\SetupAPI.App.log (since Windows Vista) respectively.
For additional information see the MSDN articles Setting SetupAPI Logging Levels and SetupAPI Logging Registry Settings.

The operations of Advanced INF Installer are (optionally) logged to the file which pathname is stored in the Registry entry

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Advanced INF Setup]
"AdvPackLogFile"="‹path›\\‹filename›.‹extension›"

if this Registry entry exists.

Authenticity and Integrity

The (compressed) cabinet file MSICD.CAB is digitally signed using an X.509 certificate issued by WEB.DE TrustCenter E-Mail Certification Authority.

Serial number of the certificate: 0x045C48BE = 73156798
Fingerprint of the certificate: MD5: fc ee 8c 63 1d 27 05 a6 84 4c 1a 3e 73 47 9a b0; SHA-1: ce 24 2d a2 6b d9 7c 64 1e 8d bc 6c 70 58 32 1f 99 ab 1a be

Download and install the CA and root X.509 certificates of WEB.DE to validate and verify the digital signature.

Note: unfortunately WEB.DE abandoned their trust center in 2018 and removed all pages and download links in 2019; fortunately the Wayback Machine archived the TrustCenter page, the CA and the root certificate.

Note: due to its counter signature alias timestamp the digital signature remains valid past the X.509 certificates expiration date!

Contact and Feedback

If you miss anything here, have additions, comments, corrections, criticism or questions, want to give feedback, hints or tipps, report broken links, bugs, deficiencies, errors, inaccuracies, misrepresentations, omissions, shortcomings, vulnerabilities or weaknesses, …: don’t hesitate to contact me and feel free to ask, comment, criticise, flame, notify or report!

Use the X.509 certificate to send S/MIME encrypted mail.

Note: email in weird format and without a proper sender name is likely to be discarded!

I dislike HTML (and even weirder formats too) in email, I prefer to receive plain text.
I also expect to see your full (real) name as sender, not your nickname.
I abhor top posts and expect inline quotes in replies.

Terms and Conditions

By using this site, you signify your agreement to these terms and conditions. If you do not agree to these terms and conditions, do not use this site!

The software and the documentation on this site are provided as is without any warranty, neither express nor implied.
In no event will the author be held liable for any damage(s) arising from the use of the software or the documentation.
Permission is granted to use the current version of the software and the current version of the documentation solely for personal private and non-commercial purposes.
An individuals use of the software or the documentation in his or her capacity or function as an agent, (independent) contractor, employee, member or officer of a business, corporation or organisation (commercial or non-commercial) does not qualify as personal private and non-commercial purpose.
Without written approval from the author the software or the documentation must not be used for a business, for commercial, corporate, governmental, military or organisational purposes of any kind, or in a commercial, corporate, governmental, military or organisational environment of any kind.
Redistribution of the software and the documentation is allowed only in unmodified form of its current version and free of charge.

Data Protection Declaration

This web page records no (personal) data and stores no cookies in the web browser.

The web service is operated and provided by

Telekom Deutschland GmbH
Business Center
D-64306 Darmstadt
Germany
<‍hosting‍@‍telekom‍.‍de‍>
+49 800 5252033

The web service provider stores a session cookie in the web browser and records every visit of this web site with the following data in an access log on their server(s):

the (pseudonymised) IP address;
the date and time of the request;
the URL of the requested web page or file;
the Referer and User-Agent HTTP headers sent by the web browser;
the result (success or failure) of the request;
the amount of data received and sent.