Don't press F1 in Windows XP: Microsoft

The software giant Microsoft has told Windows XP users not to press the F1 key when prompted by a Web site, as part of a security adviso
ry.

The advisory has been issued regarding an unpatched vulnerability that hackers could exploit to hijack PCs running Internet Explorer (IE). In the advisory, Microsoft confirmed the unpatched bug in VBScript that Polish researcher Maurycy Prodeus had revealed last week.

"The vulnerability exists in the way that VBScript interacts with Windows Help files when using Internet Explorer. If a malicious Web site displayed a specially crafted dialog box and a user pressed the F1 key, arbitrary code could be executed in the security context of the currently logged-on user. On systems running Windows Server 2003, Internet Explorer Enhanced Security Configuration is enabled by default, which helps to mitigate against this issue," reads the advisory.

Recently, Prodeus called the bug a "logic flaw," and said attackers could exploit it by feeding users malicious code disguised as a Windows help file and convincing them to press the F1 key when a pop-up appeared. Such files have a ".hlp" extension.

Windows 2000, Windows XP and Windows Server 2003 are impacted by the bug, said Microsoft, and any supported versions of Internet Explorer (IE) on those operating systems, including IE6 on Windows XP, could be exploited by hackers.

The security advisory said, "Our analysis shows that if users do not press the F1 key on their keyboard, the vulnerability cannot be exploited."

Users can also thwart the attacks by disabling Windows Help.
 
Source