Re: IE ms-its: and mk:@MSITStore: vulnerability

[roozbeh afrasiabi <roozbeh_afrasiabi () yahoo com>]

In-Reply-To: <BAY17-F16uCddQiqWcB0001d6bb () hotmail com>

> What, exactly, is new about this?

I did my best to explain this with different pocs and giving a lot of detail but it seems i failed to address this 
well.The fact that internet explorer can access chm files using the two p-handlers when help has been initiated is 
new,the fact that some local resources can be used is also new,and execution of programs on local machine is not done 
using the old way.
to realize this better try testing the pocs by removing the line that opens help,what you will find out is that the 
script won't be able to run correctly and no programs will be run.

The pocs i have used in combination with mine were selected from those i thought would be detected by scanners so it 
won't be possible for people 
to simply use them .I have given enough info between the lines for experienced readers too.


> and the second bit like something Arman Nayyeri posted [2]
if i am not mistaken his poc could only run winamp if it had been installed in some known location, while the changes i 
have made to it gives it the ability to run any program which its' MUICACHE name is known.


> The PoCs in section b) through g) appear to be implementations of the above .And the PoC in section h) seems related 
> to Cert Advisory VU#489721 [3]

These were only included for reader's better understanding and to prove the fact that other programs (ms.products) 
which use internet explorer for opening html files can be exploited too (god i am giving you clues )