Microsoft warns of zero-day hole for older Windows

One workaround for hole that could be exploited by attackers taking control of Windows running IE is to avoid pressing the F1 key when prompted by a Web site.

Elinor Mills Former Staff Writer
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.
Elinor Mills
2 min read


Microsoft warned of a new hole on Monday that could be exploited by attackers to take control of older Windows systems running Internet Explorer and for which proof-of-concept exploit code has been released publicly.

The vulnerability affects Windows 2000-, XP- and Server 2003-based systems. It exists in the way that Visual Basic Scripting, or VBScript, interacts with Windows Help files, Microsoft said in its security advisory. VBScript is an Active Scripting language for executing functions embedded in Web pages.

In an attack scenario, victims would somehow be lured to visit a malicious Web site that displays a specially crafted dialog box, Microsoft said. The box could prompt visitors to press the F1 key, which would install malware on the visitor's computer when pressed. The F1 key is used to bring up the help function.

Windows Vista, Windows 7, and Windows Server 2008 are not affected. The issue is mitigated on Windows Server 2003, where IE Enhanced Security Configuration is enabled by default.

The advisory includes several workarounds, including advice to avoid pressing the F1 key when prompted by a Web site, restricting access to the Windows Help System, setting Internet and Local intranet security zone settings to "high" to block ActiveX Controls and Active Scripting, and configuring IE to prompt before running Active Scripting or disable Active Scripting in the Internet and Local intranet security zone.

Microsoft complained in its advisory and a statement that the vulnerability was not responsibly disclosed. The hole was revealed on Friday and proof-of-concept code was released by iSEC Security Research.

Anyone believed to have been affected by the hole can visit Microsoft's Consumer Security Support Center Web site.