 |
The vulnerability could allow an attacker to host a maliciously crafted Web page and run arbitrary code if they could convince a user to visit the Web page and then get them to press the F1 key in response to a pop-up dialogue box. Microsoft says it is not aware of any attacks seeking to exploit this issue at this time and believes that users running Windows 7, Windows Server 2008 R2, Windows Server 2008, and Windows Vista are not affected.
“The issue in question involves the use of VBScript and Windows Help files in Internet Explorer,” a Microsoft blog posting explained. “Windows Help files are included in a long list of what we refer to as ‘unsafe file types’. These are file types that are designed to invoke automatic actions during normal use of the files. While they can be very valuable productivity tools, they can also be used by attackers to try and compromise a system.”
Microsoft advised users to avoid pressing F1 on dialogue boxes presented from Web pages or other Internet content.“If a dialogue box appears repeatedly in an attempt to convince the user to press F1, users may log off the system or use Task Manager to kill the Internet Explorer process,” said the company in a security research note. Users can also set Internet Explorer to show a prompt before running any Active X controls or scripting, which Microsoft said will not affect general browsing. A fix for the problem will probably be issued at a later date.
