Image via Wikipedia

Via ComputerWorld.

Microsoft told Windows XP users today not to press the F1 key when prompted by a Web site, as part of its reaction to an unpatched vulnerability that hackers could exploit to hijack PCs running Internet Explorer (IE).In a security advisory issued late Monday, Microsoft confirmed the unpatched bug in VBScript that Polish researcher Maurycy Prodeus had revealed Friday, offered more information on the flaw and provided some advice on how to protect PCs until a patch shipped.

“The vulnerability exists in the way that VBScript interacts with Windows Help files when using Internet Explorer,” read the advisory. “If a malicious Web site displayed a specially crafted dialog box and a user pressed the F1 key, arbitrary code could be executed in the security context of the currently logged-on user.”

Last week, Prodeus called the bug a “logic flaw,” and said attackers could exploit it by feeding users malicious code disguised as a Windows help file — such files have a “.hlp” extension — then convincing them to press the F1 key when a pop-up appeared. He rated the vulnerability as “medium” because of the required user interaction.

Windows 2000, Windows XP and Windows Server 2003 are impacted by the bug, said Microsoft, and any supported versions of Internet Explorer (IE) on those operating systems — including IE6 on Windows XP — could be leveraged by attackers. Previously, Prodeus had said that users running IE7 and IE8 were at risk, but had not called out IE6.

Until a patch is ready, users can protect themselves by not pressing the F1 key if a Web site tells them to, said Microsoft.

The security advisory made the same recommendation: “Our analysis shows that if users do not press the F1 key on their keyboard, the vulnerability cannot be exploited.”

Users can also stymie attacks by disabling Windows Help. The advisory explained how to entering a one-line command at a Windows command-line prompt to lock down the Help system.

Another one of those funny-sad stories about another vulnerability in the Windows operating system. These are coming so often these days we’re becoming as inured to them as we are to Windows updates. No one reads all that stuff; we just click “approved”, “OK”, “agreed”, just do it, get it over with.

How many typical Windows users even know what the F1 key is for?

F1	Displays the Help task pane.CTRL+F1 closes and reopens the current task pane. ALT+F1 creates a chart of the data in the current range. ALT+SHIFT+F1 inserts a new worksheet. (Microsoft)

You can also press the F1 key on some computers to access the BIOS when you start your computer before Windows boots up. On other computers it’s usually F2 or Escape.

You know what I find really ironic? A lot of people have been getting after Google the last week or so over releasing Buzz to so many users without fixing some glaringly obvious (to the techies, at least) security weaknesses. And what are a vast majority of them using to express these concerns? Windows. And how many of them are using the latest release, Windows 7, with all the latest updates and drivers installed? How many acknowledge that Windows has released every version of its operating system unfinished and incomplete?  True, there are flaws that only exist because of advances in the writing of viruses and spyware. No one can anticipate every possible scenario. All I know is that I always feel more secure, more comfortable when I’m using the Mac or booted in Linux. Sadly, Buzz is especially aggravating in those systems since everything else for the most part just works. Software updates outnumber version updates by a good number.

I don’t argue that Buzz needed a beta period. Come on, Google. Everything you’ve produced up until now have been labeled beta. You even let us make Gmail say beta in the header if we want. Even if all you had done was add the now-anticipated beta label to the name, Buzz beta, you would no doubt have received a warmer reception. The critics would have had shaky grounds for criticism. Especially those criticizing from a Windows machine.

Let me give you a tip applicable to any version of Windows. It goes beyond the rather timid approach Microsoft suggests in order to avoid a single potential vulnerability. Employing the technique I’m about to share with you, you are assured of never again being at risk for any sort of vulnerability. If you want to know you are totally secure when using Windows, if you want to be invisible to viruses, free of spyware, if you want to never see another blue-screen-of-death ever again for the rest of your life;

Do not press ANY key on your keyboard. Not the F1, not the Enter key, don’t even tap the space bar.

Better yet, don’t even turn the damned thing on. Can’t get much safer from cyber threats than that.

Related articles by Zemanta

• Microsoft: Don’t press F1 key in Windows XP (computerworld.com)
• New zero-day involves IE, puts Windows XP users at risk (infoworld.com)
• New Internet Explorer Vulnerability Confirmed (ghacks.net)
• IE code execution bug can bite older Windows machines (go.theregister.com)
• Researchers find decade-old Windows flaw (v3.co.uk)
• Microsoft investigating new zero-day exploit (v3.co.uk)
• IE flaw gives hackers access to user files, Microsoft says (infoworld.com)