Although hundreds of millions of dollars have been spent on securing SP2, perfection is impossible. Through the joint effort of Michael Evanchik and Paul from Greyhats Security, a very critical vulnerability has been developed that can compromise a user’s system without the need for user interaction besides visiting the malicious page. The vulnerability is not actually a vulnerability in itself, but rather it is uses multiple known holes in SP2 including Help ActiveX Control Related Topics Zone Security Bypass Vulnerability and Help ActiveX Control Related Topics Cross Site Scripting Vulnerability.
* Microsoft Internet Explorer 6.0
* Microsoft Windows XP Pro SP2
* Microsoft Windows XP Home SP2
Proof of Concept:
See a proff of concept of the above code at: http://freehost07.websamba.com/greyhats/sp2rc.htm
* If an error is shown, press OK. This is normal.
* Notice in your startup menu a new file called Microsoft Office.hta. When run, this file will download and launch a harmless executable (which includes a pretty neat fire animation)
* Disable HTA files
* Disable Active Scripting in Internet Explorer