On the heels of a Google engineer finding a security vulnerability that had been lurking in Microsoft Windows’ Virtual DOS Machine for 17 years, another doozy has turned up: Microsoft has issued a security advisory for Windows 2000, Windows XP, and Windows Server 2003 that just pressing the F1 key—you know, for help—while using Internet Explorer could trigger a VBScript vulnerability that could enable attackers to take over the machine.
“The vulnerability exists in the way that VBScript interacts with Windows Help files when using Internet Explorer,” Microsoft wrote in the advisory. “If a malicious Web site displayed a specially crafted dialog box and a user pressed the F1 key, arbitrary code could be executed in the security context of the currently logged-on user.”
In theory, the flaw could be exploited by attackers passing malware disguised as a Windows Help (“.hlp“) file. Exploiting the issue does require that the attackers somehow convince users to press the F1 key to trigger the vulnerability. The flaw impacts Internet Explorer 6, 7, and 8 on the affected operating systems; Windows Vista and Windows 7 are not vulnerable.
“As an interim workaround, users are advised to avoid pressing F1 on dialogs presented from Web pages or other Internet content,” said Microsoft Security Response Center’s David Ross, in a Technet blog post.
Microsoft has expressed dismay that the vulnerability was made public before a patch could be developed and deployed to mitigate the risk. Typically, security researchers report flaws to vendors privately so a workaround can be tested and released before announcing the flaw to the broader world where attackers and cybercriminals might move quickly to exploit it.
