back to article MS confirms 'F1 to pwn' IE bug

Microsoft has confirmed that an unpatched Internet Explorer vulnerability makes it potentially dangerous to press F1 if you are running earlier versions of Windows. A security bug in the VBScript technology bundled with Internet Explorer means that it might be possible to create a web site that displays a specially crafted …


This topic is closed for new posts.
  1. Anonymous Coward

    Exsqueeze me!?

    MS have the nerve to take a pop at security researchers?! How about you tell the marketing people to get stuffed and spend more time fixing your shonky o/s eh? Cannot even press f1 for help without os getting stuffed now? For flips sake!

    1. The Original Steve

      @ Exsqueez me!?

      "...spend more time fixing your shonky o/s eh"

      Like Vista and 7?

      Just the 7 year and older platforms that could be exploited. The last two versions of Windows (relased in the last 4 years) are immune.

  2. Anonymous Coward

    simple fix

    Switch the F1 with the F2 key on your user's keyboards, with the way our users peck at their keyboards they wont notice anything odd.

  3. elpumkinhed

    This title has been required

    >Microsoft gave no indication of when a patch might become available but the next scheduled Patch Tuesday is only six days away, cutting it very fine to develop, much less test, a fix. An April or even May update for IE seems more likely.

    Glad to see you take security so seriously, Microsoft. Maybe next time, the hackers will wait until your calendar meshes nicer with theirs

    1. Anonymous Coward
      Gates Horns


      Yeah. Patch Tuesday: it's just so quaint! "Hold on there, Mr Hacker! If you could just wait until next Monday before proliferating your exploit..."

      Despite the mass of disclaimers in the average EULA, you've got to wonder whether people shouldn't have redress for such defects, especially since the "solution" is to pay the vendor yet more cash for the latest, ultimately defective product.

  4. koolholio

    The exploit itself

    The exploit itself affects how the winhlp32.exe is compiled. it is a stack buffer overflow which uses IE 6 to 8, and a malicious VBscript on the server-side.

    Changing the key pressed to initiate the help file will not change how the help file program was compiled, as it is not triggered upon the key pressed, but it is triggered upon the launch of the HELP file specifically.... whilst a msgbox is displayed.

    Simple advice: teach users to phone IT support when they see a message that looks suspicious!

  5. Anonymous Coward

    Exploit release timeline

    ===[ DISCLOSURE TIMELINE ]==============================================

    01 Feb 2007 The vulnerability was discovered.

    26 Feb 2010 Public disclosure.

    This exploit must be at least 3 years old!

  6. Anonymous Coward

    The reserchers are wrong

    Whatever your opinion of MS (The Original Steve makes a good point) these researcehers are wrong to release an exploit like this without notifying the vender. MS have a very efficient deparment when it comes to receiving this kind of information unlike Apple who just refuse to even have a process in place (as far as i'm aware). Fair enough tell MS that you'll give them a week to work on a fix then you'll release it but to just release it exposes allot of peole to risk untill a fix can be produced. This might not be a small task that can be fixed in a short space of time.

    1. Greg J Preece

      Previous experience?

      At times in the past it's taken a fair bit of negative publicity to get Microsoft off their arses and fixes developed. Maybe they've just decided to skip the slow stages of the development cycle. ;-)

  7. Bruno Girin
    Black Helicopters

    Conspiracy theory

    That's not a bug, that's a feature in the form of an incentive for users to upgrade from 2000/XP to Vista/7.

  8. OMGeek
    Paris Hilton

    But honestly...

    How much use does the F1 key really get from the common user, you know, with the actual word "Help" put nicely in the title bar? Joe Shmo can hardly figure out how to copy and paste using the keyboard, let alone venture into the function of the Function keys. Now if it were F5, I'd be livid.

    Paris, because if anyone, she needs F1.

  9. Stu

    Bad publicity = good

    Of course MS say the researchers should have gone to them first - it keeps the lid on yet another idiot blunder on Microsofts part. Sure it would have come out eventually, but it wont be as big a news story if they already sorted it - the worse the press MS get on all their poor software engineering, the better.

    Fact is the web exploits instructing people to press F1 are already in place, they were zero-day at the time, and the issue isn't likely to be made much worse by its going public, because now at least some people know not to hit F1. Generally, in the past, public knowledge of a vulnerability has NOT resulted in more websites attempting the same exploit (that is unless Microsoft or whoever fail to update their software promptly) because there are a hell of a lot more zero-day vulns available in the hacker community to work with.


    @Bruno Girin & The Original Steve - Yes people should upgrade, but there are still vulnerabilities discovered in Vista and 7 all the time, what about that ridiculous 17 year old VDM bug that was still present in all 32bit Windows OSes?

    This one, to my knowledge is one of a minority of bugs which only affect OSes prior to Vista.

  10. Anonymous Coward
    Black Helicopters

    This is a Microsoft conspiracy

    to get you to use a different browser - a few days after their IE option screen for other browsers - coincidence, I don't think so. Wait...what am I saying?

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2020