I have poked fun before at Microsoft's many security problems with Internet Explorer but this one is hilarious. Microsoft has now issued a security advisory stating that pressing the F1 key on older versions of Windows systems running Internet Explorer can create huge problems. Hackers could use the vulnerability to take control of a user's system. The attack could come from a Web page, an HTML e-mail or an e-mail attachment, as long as Internet Explorer is used to display the file
The flaw has been found in systems running Windows 2000, Windows XP, and Windows Server 2003. Microsoft says the issue is tied to the way that Visual Basic Scripting, or VBScript -- which is used for executing functions found in web pages -- is linked with Windows Help files.
In the case of an attack, a victim using Windows 2000, XP, or Server 2003 would only need to visit a malicious web site where a dialog box would be presented, enticing users to press their F1 key. Once the key is pressed, the system is hijacked and malware is installed on the computer.
Typically, the F1 key is used to initiate the help function, so a play on this scenario may be employed by the hacker(s) involved in such a scheme. Beware of any pop-up windows that ask you to press F1.
Users who've upgraded to more recent versions of Windows, including Windows Server 2008, Windows Vista, and the new Windows 7, will not be affected by the vulnerability. Users who have upgraded to Firefox, Opera, or Google Chrome web browsers also will not be affected. Macintosh and Linux users also will not be affected. The problem exists only in older versions of Internet Explorer on Windows 2000, Windows XP, and Windows Server 2003.
You can read more at http://www.pcworld.com/article/190585/microsoft_warns_of_f1_site_attack.html.
There is no fix yet from Microsoft although I am sure there will be one very soon. The new security advisory is available on Microsoft's web site at http://www.microsoft.com/technet/security/advisory/981169.mspx.
