Microsoft Warns Windows XP Users To Avoid F1 Key In Internet Explorer
Microsoft has gone public with an investigation into a "a vulnerability in VBScript that is exposed on supported versions of Microsoft Windows 2000, Windows XP, and Windows Server 2003 through the use of Internet Explorer." This is quite significant because a huge majority of PCs in the world still rely on Windows XP, and many corporate environments haven't upgraded or switched away from IE. To date, Microsoft has yet to find evidence that this exploit could harm Windows 7, Vista or Server 2008 users.
The primary problem that we're dealing with here is "remote code execution," and while the company admits that they aren't aware of any attacks that take advantage of the vulnerabilities, they're obviously looking to patch things up before it gets bad. Here's Microsoft's exact explanation of the issue:
The vulnerability exists in the way that VBScript interacts with Windows Help files when using Internet Explorer. If a malicious Web site displayed a specially crafted dialog box and a user pressed the F1 key, arbitrary code could be executed in the security context of the currently logged-on user. On systems running Windows Server 2003, Internet Explorer Enhanced Security Configuration is enabled by default, which helps to mitigate against this issue.
Did you catch that? The part about the "F1" key? In a few words, Microsoft is actually advising Windows XP users who rely on IE to not use their F1 key, which is kind of crazy when you think about it. Thankfully, not many people actually rely on the F1 key in day-to-day use, but just imagine the outrage if "F1" were replaced with "A." The public is being told that the problem is being worked on, though there is no time table given as to when we can expect a fix. Just push those F1 urges aside from awhile, and everything should be just fine.