> If Guninski is right, and there is a bug involving the Microsoft OLE > DB Provider for Internet Publishing that allows malicious websites > to execute queries into sites local to the vulnerable user under that > user's context then it's more than likely that some of those local > sites in deed don't request any kind of authentication or then > authenticate the user automatically using NT Challenge/Response. And > that would mean clear access past any firewalls into the > local intranet. > Sure, you have to know the site names but that's what social > engineering > is for. Or simply guess that it is something common like "mail", "intranet" or "exchange". Since the attacker has the ability to access the resource programmatically, testing a set of plausible names until the correct one is found is possible, and may even have a very high probability of success. Tim Hollebeek Research Scientist Cigital Labs