Dear Lists: Apparently I wasn't clear enough with this paragraph of my advisory, or a sizeable portion of the list readership elected to ignore it: "A malicious user could create content that would request the user to click an object or press a sequence of keys. By delivering a security prompt during this process, the site could subvert the prompting and obtain permission for actions that were not necessarily authorized." It seemed fairly clear to me, but apparently it sounded better to me than it did to some readers. :-( Basically, the scenario for the vulnerability is as follows: * Ask for user input that is predictable (mouse clicks, text string with the letter 'y', etc.) * Display a modal security prompt that will "eat" that input and treat it as a "Permit" answer to the security prompt. The result: compromise of security, potentially including arbitrary code execution. A particular scenario was identified that involved the exploitation of the modal ActiveX prompt delivered by some systems. The user is asked to type a certain string of characters (ala captcha). A prompt will be displayed (hopefully during the time the user is typing the string) to install the Microsoft Surround Video Control. If you're still typing the "captcha" when the prompt appears, you'll install the control. This works as advertised against all systems EXCEPT Windows XP SP2 and Windows Server 2003 SP1. If the software you install hoses your box, just remember that it's signed by Microsoft. In other words... don't look at me. Other prompts on XP SP2 and 2003 SP1 are exploitable for various gains as well. Virtually any prompt that wasn't commonly displayed on a web page prior to these updates is still handled via the (risky) modal dialog model. One example is the "Allow Paste Operations via Script" prompt that is displayed when a web page attempts to access the clipboard. Another example is "Initialize and Script ActiveX controls not marked as safe" prompt, which is somewhat mitigated by LMZ lockdown. All of those cases are exploitable in the same way as this one -- you simply have to change the "unsafe" action. Rather than having a page generate an ActiveX install, for instance, you could have it try to sniff the clipboard, initiate install-on-demand, or some other suspect action. The ability to cause the action to be approved silently is achieved the same way -- having a user unwittingly enter a 'Y' to the prompt. As you might notice, the exploit vector is virtually identical to that of MS05-054. I'm beginning to wonder if maybe it isn't the triviality of the remaining issues making them hard for people to envision. After all, Jesse Ruderman provides all of the theory and Secunia even demonstrates it for us with the file download dialog exploit code. The follow-up attack to such precise, detailed research is not a terribly creative one -- it merely involves piecing together what somebody else missed, ignored or didn't research to its full depth. This is a really easy class of attack to eliminate completely when compared to other more insidious attack vectors, and I expect that this process will eventually happen. Note that the standard disclaimer (that your use of this is at your own risk) still applies. Perhaps more so this time, because there's Microsoft code coming down along with the exploit. 