From: "Geo." 

I've been watching this one develop on the security lists, this article
gives a pretty good explanation. What they don't say is that Jelmer got his
home machine rooted with it. 

The other thing they don't mention, XPsp2 beta users are NOT vulnerable. I
found that impressive.

http://www.computerworld.com.au/index.php?id=117316298&eid=-255

Internet Explorer carved up by zero-day hole Kieren McCarthy, Techworld.com
09/06/2004 08:28:25

Two new vulnerabilities have been discovered in Internet Explorer which
allow a complete bypass of security and provide system access to a
computer, including the installation of files on someone's hard disk
without their knowledge, through a single click.

Worse, the holes have been discovered from analysis of an existing link on
the Internet and a fully functional demonstration of the exploit have been
produced and been shown to affect even fully patched versions of Explorer.

It has been rated "extremely critical" by security company
Secunia, and the only advice is to disable Active Scripting support for all
but trusted websites.

The discovery stems from Dutch researcher Jelmer who was sent an Internet
link which he was warned used unknown Explorer vulnerabilities to install
adware on his computer. He found it did and embarked on a detailed analysis
of the link, which demonstrates an extremely sophisticated use of encrypted
code to bypass the Web browser's security.

In simple terms, the link uses an unknown vulnerability to open up a local
Explorer help file -- ms-its:C:\WINDOWS\Help\iexplore.chm::/iegetsrt.htm.
It delays executing anything immediately but instead uses another unknown
vulnerability to run another file which in turn runs some script. This
script is then used to run more script. And finally that script is used to
run an exploit that Microsoft Corp. has been aware of since August 2003 but
hasn't patched.

That exploit -- Adodb.stream -- has not been viewed as particularly
dangerous, since it only works when the file containing the code is present
on the user's hard disk. The problem comes in the fact that the Help file
initially opened is assumed to be safe since it is a local file and so has
minimal security restrictions.
By using the unknown exploits, code is installed within the help file
window, all security efforts are bypassed, and the Adodb.stream exploit is
then used to download files on the Internet direct to the hard disk. What
this means in reality is that if you click on a malicious link in an email
or on the Internet, a malicious user can very quickly have complete control
of your PC. And there is no patch available. You can see it happen by click
here.

With the code already available on the Net, this is effectively a security
nightmare ... unless you're a Mozilla or Opera user that is.

--- BBBS/NT v4.01 Flag-5