Software house Microsoft has updated users of its Internet Explorer browser concerned about its latest vulnerability, and the advice is remarkably simple.
Yesterday in a security note the firm explained, "With this issue, it is possible for a malicious web page to display a dialog box which will trigger the execution of arbitrary code when the user presses the F1 key. The prompt can appear repeatedly when dismissed, nagging the user to press the F1 key. Platforms are affected regardless of the Internet Explorer version installed."
It added, "Though user interaction is required the F1 keyboard shortcut does enable an attack scenario. In the exploit, a file path enables a .HLP file to be loaded from the local filesystem, SMB, or WebDav."
According to the firm the problem relates to Windows 2000 and Windows XP by default, and to a lesser extent, Windows 2003 Server. It added that its internal investigations revealed that Windows 7, Windows Server 2008, and Windows Vista were not affected. Regardless of this, it appears that if there is a risk to systems it is users that cannot stop themselves from pressing a button.
Microsoft's workaround for the issue is uninspiring. It says, "As an interim workaround, users are advised to avoid pressing F1 on dialogs presented from web pages or other Internet content. If a dialog box appears repeatedly in an attempt to convince the user to press F1, users may log off the system or use Task Manager to kill the Internet Explorer process." So, no matter how hard they force you, and how tempting the prompt message is, just DO NOT PRESS THE F1 button. Oh, unless you actually need to.
There are other solutions, which are a bit more involved, for example, users can set IE to show them a prompt before running any "ActiveX" controls or scripting, and Microsoft added that this would not affect general browsing.
In the meantime, do not press the F1 button.
