Microsoft is warning XP users not to press the F1 key if a website prompts them to. The company urges them to ignore the warning saying it could be an exploit using a newly discovered vulnerability in VBScript. A security advisory provided more info:
“The vulnerability exists in the way that VBScript interacts with Windows Help files when using Internet Explorer,” read the advisory. “If a malicious Web site displayed a specially crafted dialog box and a user pressed the F1 key, arbitrary code could be executed in the security context of the currently logged-on user.”
The Polish researcher that found the bug calls it a “logic flaw” and says a hacker could gain access to a users’ computer by using it to feed them a fake Windows help file with malicious code embedded in it.
Users of Windows XP,Windows 2000 and Windows 2003 are affected by this bug but Vista, Windows 7, and Windows Server 2008 users are safe. Microsoft has not announced an ETA for a fix and lashed out at the researcher who notified the public of the bug, saying it was irresponsible and put customers at risk. Maurycy Prodeus fired back, saying he notified Microsoft 4 weeks before going public.