Ignore Sites that nag to Press the Help key, says Microsoft’s Zero-day Bug Advisory
If you’re still using Windows XP, Microsoft has a piece of security advice for you: don’t hit F1! Microsoft has told Windows XP users not to press the F1 key when prompted by a Web site, as part of its reaction to an unpatched vulnerability that hackers could exploit to hijack PCs running Internet Explorer (IE).
A recently discovered vulnerability is disrupting how Windows XP handles VBScripts that are used to load Help files. Hackers could disguise malicious code as a Windows Help file (with the extension “.hlp”), and then launch a pop-up window prompting users to press F1 for help. Pressing F1 would in fact load the malicious file, and execute the code, thus infecting a PC. Fortunately, the vulnerability does require user interaction, so those who refrain from using Help (or who turn it off entirely) will remain safe. Details for how to turn off Help can be found here.
“The vulnerability exists in the way that VBScript interacts with Windows Help files when using Internet Explorer,” read the advisory. “If a malicious Web site displayed a specially crafted dialog box and a user pressed the F1 key, arbitrary code could be executed in the security context of the currently logged-on user.” The vulnerability applies to IE6, IE7, and IE8 on Windows XP. However, customers running Windows Vista, Windows Server 2008, Windows 7 or Windows Server 2008 R2 are safe from such attacks, Microsoft said.
Microsoft is currently working to patch the flaw, but has not announced a time by which to expect a fix. This is just one more reason to join the 21st century, and leave XP behind as the quaint memory of a bygone era that it is.