>if there is some XSS hole in > Windows Update site or if there is a bug in IE that > allows to trick the URL,
then the attacker can use Windows Update ActiveX to: reboot your machine; get detailed information on computer - computer name, hardware, isAdmin, etc. BUT it's hard for the attacker to execute his EXE. i've traced into the module("IUENGINE.TEXT"). they first create the directory(API:"CreateDirectoryW") then they download the EXE file to the newly created directory. soon after that, they verify its digest (API:"LSTRCMPIW"). at last they verify it with "WinTrust.TEXT" - which i am unable to bypass. if any of the check fails, they delete the file(API:"DeleteFileW"). assuming we already got WINDOWSUPDATE.MICROSOFT.COM( then we easily got MYCOMPUTER): the only chance is: "DeleteFileW" fails. but chances are very very slim. so generally speaking(generally speaking, we can't break WinTrust), the maximum risk is "RebootMachine" - nothing more. just as a reminder best wishes die ----------------------- umbrella.mx.tc - http://umbrella.mx.tc safecenter - http://www.safecenter.net make notes easily - http://domex.int.tc _________________________________________________________ Do You Yahoo!? 国内电邮用户反垃圾调查拉开帷幕 http://cn.rd.yahoo.com/mail_cn/tag/?http://cn.tech.yahoo.com/zhuanti/laji/index.html _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html