In what is being described as an ‘unpatched bug in VBScript’. users of Windows XP could be compromised if they press F1 when prompted by rogue web sites. The vulnerability also affects users of Windows 2000 and Windows server 2003 as well. Microsoft has stated that Windows 7, Windows Vista and Windows Server 2008 and not affected. Microsoft describes the vulnerability as being:
“The vulnerability exists in the way that VBScript interacts with Windows Help files when using Internet Explorer,” read the advisory. “If a malicious Web site displayed a specially crafted dialog box and a user pressed the F1 key, arbitrary code could be executed in the security context of the currently logged-on user.”
Last week, Prodeus called the bug a “logic flaw,” and said attackers could exploit it by feeding users malicious code disguised as a Windows help file — such files have a “.hlp” extension — then convincing them to press the F1 key when a pop-up appeared. He rated the vulnerability as “medium” because of the required user interaction.
Microsoft also has stated that:
Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs.
It sounds like a no brainer in that users just need to ignore anything that any web sites wants us to do. LOL