-----Original Message-----
From: Paz Itzhaki-Weinberger
Sent: Sunday, July 04, 2004 5:06 PM
To: 'Ramis@microsoft.com'
Subject: FW: Urgent - I discovered a problem with the newest Microsoft Patch!
Importance: High

Dear Rami,
 
I got your email and was told you are dealing with this issue.
Attached an example HTML (the mail below is a mail I sent CERT about this matter - it's July 4th, so it may take them a while to get to it)
 
To test the HTML:
Place the HTML in any directory on your hardisk (make sure KB870669 update is installed, of course - the entire thing is to show it works also after patching) and double click it.
Nothing malicious about this specific code of course - it's only an example (as you can see by looking at the code).
After confirming, it will try injecting the code and run  command prompt to open in pause mode.
If it was successful, your computer is vulnerable although the patch is installed. On my testing XP machine it worked.
 
Enjoy & good luck updating the patch,

------------------------------------------------------------------------------
Paz Itzhaki-Weinberger
Security Content Manager & Analyst
Gteko Ltd.

"Quidquid agis, prudenter agas, et respice finem"
------------------------------------------------------------------------------
The information in this e-mail is confidential and proprietary to Gteko Ltd., for the use of the intended recipient only. Any review, retransmission, dissemination, printing or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this by error, please contact the sender by phone or return this email and delete the material from all of your computers. Thank you.
Copyright 2003-2004, Gteko Ltd., all rights reserved.

-----Original Message-----
From: Paz Itzhaki-Weinberger
Sent: Sunday, July 04, 2004 1:45 PM
To: 'cert@cert.org'
Subject: Urgent - I discovered a problem with the newest Microsoft Patch!
Importance: High

Hi,
 
Microsoft just released KB870669 and computers all over the world are updating and patching to be protected from the latest IE vulnerabilities this patch addresses.
However, I discovered a way to bypass this patch, simply by crafting a malicious HTML (using Shell).
This way, PATCHED SYSTEMS ARE STILL VULNERABLE. The malicious HTML will work on patched systems, exactly like it works on unpatched ones.
Enclosed Proof-of-Concept HTML with the code.
 
Please warn everyone on this matter, and also transfer this information to Microsoft, so Microsoft can release an update to the patch covering this issue, and keep their customers safe.
I called Microsoft Israel on the phone, but they didn't get back to me yet on the matter (I don't know who exactly to contact there directly for such cases).
 
Thanks,

------------------------------------------------------------------------------
Paz Itzhaki-Weinberger
Security Content Manager & Analyst
Gteko Ltd.

"Quidquid agis, prudenter agas, et respice finem"
------------------------------------------------------------------------------
The information in this e-mail is confidential and proprietary to Gteko Ltd., for the use of the intended recipient only. Any review, retransmission, dissemination, printing or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this by error, please contact the sender by phone or return this email and delete the material from all of your computers. Thank you.
Copyright 2003-2004, Gteko Ltd., all rights reserved.