2010 has not been kind to Microsoft's security
team. In under a month's
time, we've seen Microsoft address a bug that was supposed to fix an
but instead caused more headaches, all while having to
encourage consumers not to be duped by a fake security site
around as something useful. As if those software savvy folks up in
Washington didn't have enough on their plates, the company has today
issued yet another startling advisory, and this is easily one of the
more bizarre ones that we've seen.
Microsoft has gone public with an investigation into a "a vulnerability
in VBScript that is exposed on supported versions of
Microsoft Windows 2000, Windows XP, and Windows Server 2003 through the
use of Internet Explorer." This is quite significant because a huge
majority of PCs in the world still rely on Windows XP, and many
corporate environments haven't upgraded or switched away from IE. To
date, Microsoft has yet to find evidence that this exploit could harm
Windows 7, Vista or Server 2008 users.
The primary problem that we're dealing with here is "remote code
execution," and while the company admits that they aren't aware of any
attacks that take advantage of the vulnerabilities, they're obviously
looking to patch things up before it gets bad. Here's Microsoft's exact
explanation of the issue:
The vulnerability exists in the way that VBScript interacts with
Windows Help files when using Internet Explorer. If a malicious Web
site displayed a specially crafted dialog box and a user pressed the F1
key, arbitrary code could be executed in the security context of the
currently logged-on user. On systems running Windows Server 2003,
Internet Explorer Enhanced Security Configuration is enabled by default, which helps to mitigate against this issue.
Did you catch that? The part about the "F1" key? In a few words,
Microsoft is actually advising Windows XP users who rely on IE to not
use their F1 key, which is kind of crazy when you think about it.
Thankfully, not many people actually rely on the F1 key in day-to-day
use, but just imagine the outrage if "F1" were replaced with "A." The
public is being told that the problem is being worked on, though there
is no time table given as to when we can expect a fix. Just push those
F1 urges aside from awhile, and everything should be just fine.