Re: IE ms-its: and mk:@MSITStore: vulnerability

[roozbeh afrasiabi <roozbeh_afrasiabi@xxxxxxxxx>]

In-Reply-To: <BAY17-F16uCddQiqWcB0001d6bb@xxxxxxxxxxx>

>What, exactly, is new about this?

I did my best to explain this with different pocs and giving a lot of detail 
but it seems i failed to address this well.The fact that internet explorer can 
access chm files using the two p-handlers when help has been initiated is 
new,the fact that some local resources can be used is also new,and execution of 
programs on local machine is not done using the old way.
to realize this better try testing the pocs by removing the line that opens 
help,what you will find out is that the script won't be able to run correctly 
and no programs will be run.

The pocs i have used in combination with mine were selected from those i 
thought would be detected by scanners so it won't be possible for people 
to simply use them .I have given enough info between the lines for experienced 
readers too.


>and the second bit like something Arman Nayyeri posted [2]
if i am not mistaken his poc could only run winamp if it had been installed in 
some known location, while the changes i have made to it gives it the ability 
to run any program which its' MUICACHE name is known.


>The PoCs in section b) through g) appear to be implementations of the above 
>.And the PoC in section h) seems related to Cert Advisory VU#489721 [3]

These were only included for reader's better understanding and to prove the 
fact that other programs (ms.products) which use internet explorer for opening 
html files can be exploited too (god i am giving you clues )