In February, security group GreyMagic Software posted a new advisory
<http://security.greymagic.com/adv/gm001-ie/> correcting some
details in thePull's original post. They also detailed a new method
of exploiting this vulnerability without using ActiveScripting or
ActiveX. In other words, hackers can exploit this flaw with simple
HTML code. This greatly increased the scope of the vulnerability,
because disabling ActiveScripting and ActiveX no longer prevented
the attack. GreyMagic found that IE 5.5 was susceptible as well.
However, since the hacker could still start an application but not
use it, the vulnerability was considered more an irritation than a
damaging attack.


Yesterday, this vulnerability was proven harmful in an article
<http://www.newsbytes.com/news/02/175185.html>from Newsbytes. The
article mentions two unusual applications that ship with Windows XP.
Logoff.exe installs by default in XP and, when activated, forces the
current user to log off the system. Shutdown.exe does not install by
default but is shipped with XP; when activated, it forces your
machine to shut down. When either of these applications execute, you
lose any unsaved data. These programs are also in the Windows NT and
2000 Resource Kit. Thus, NT and 2000 administrators who have
installed these from the Resource Kit and use IE are also affected.


Now that the exploit code for this vulnerability and the connection
with shutdown.exe has been aired publicly, this attack is readily
feasible for any script kiddie. A hacker could create a Web page
that specifically targets the Logoff.exe application present in
Window XP by default. If you were enticed to visit the site, your
machine would automatically shut down. The attacker could achieve
the same results if you use Outlook or Outlook Express to open a
specially-crafted HTML e-mail he sent you.


Note that the vulnerability consists of someone being able to
remotely execute any program that resides on your machine.
Logoff.exe and shutdown.exe are the only known exploits thus far
(who cares if a hacker manages to remotely trigger Minesweeper on
your PCs?), but it would be typical of the hacker community to
figure out other damaging exploits in the future.



SOLUTION PATH:


Microsoft has not yet officially responded to this vulnerability,
and there is no patch or workaround available yet. However, without
logoff.exe and shutdown.exe, the only known exploits become
unworkable. You could remove or rename these applications on your XP
machines to help avoid a damaging attack from this vulnerability.
Keep in mind, doing that would also break any legitimate script or
program that used those applications. We recommend that you verify
these applications are not installed on your NT or 2000 machines,
either.


Many antiviral vendors, like McAfee and Symantec, have updated their
products to detect this attack and notify you; however, they do not
prevent it.