Microsoft Warns: Don't Press "F1"
A new zero-day vulnerability threatens to use Windows help files against users, if they can be convinced to press F1, the traditional key for help. ("It's a trap!")
Microsoft released a Security Advisory this week warning users of a zero-day vulnerability (define) in the way older versions of Windows handle help files that could lead to system compromise.
The zero-day hole affects Windows 2000 Service Pack 4 (SP4), Windows XP SP2 and SP3, as well as 64-bit versions of XP Professional SP2, and Windows Server 2003. More recent releases of Windows, including Vista, Windows Server 2008, and Windows 7, are not at risk, Microsoft said in a statement e-mailed to InternetNews.com.
According to Microsoft's advisory, the flaw is in the way VBScript processes help files in Internet Explorer.
"If a malicious Web site displayed a specially crafted dialog box and a user pressed the F1 key, arbitrary code could be executed in the security context of the currently logged-on user," the advisory said. The F1 key is normally designated to bring up help in Windows programs, including the operating system.
It's a trap
To exploit the bug, however, an attacker would need to get the user to do two things sequentially. First, the user would need to visit an attacker's site, or a site that's been compromised, or to click on a malicious link in an e-mail or Instant Messenger message.
Second, the attacker would need to convince the user to press the F1 key in order to trigger the attack. Vulnerabilities that require the user to do more than one thing are typically not considered as dangerous as simple drive-by download attacks which can be triggered by simply viewing a page with a booby-trapped link or banner ad.
Even when the user presses the F1 key, it must be done while the attack Web site is displaying a scripted dialog box, the advisory said.
Microsoft said there have been no known attacks in the wild so far, despite the fact that the proof-of-concept code is already available on the Web.
The company's security group has not yet decided how they will deal with the vulnerability. They have not yet said whether they will issue a patch and, if so, whether they will release it as soon as possible -- a so-called "out of band" patch -- or whether to release it as part of a regular Patch Tuesday bug fix drop. The next Patch Tuesday is scheduled for next week on the usual second Tuesday of the month.
Microsoft has a workaround
In the meantime, Microsoft has issued a workaround, which is to set security in Internet Explorer on the affected systems to "high." That disables Active Scripting and keeps the VBScript code from executing.
"Users are advised to avoid pressing F1 presented by Web pages or other Internet content. If a dialog box appears repeatedly in an attempt to convince the user to press F1, users may log off the system or use Task Manager to terminate the Internet Explorer process," the advisory said.