Microsoft - Pressing F1 on Keyboard Potentially Dangerous

According to Microsoft, an un-patched security flaw in Internet Explorer causes potential risk if the F1 key is pressed when the user running previous Windows versions, as reported by TheRegister on March 3, 2010.

The Microsoft security team is conducting an investigation into the problem. It will issue the advisory post investigation.

An advisory, which Microsoft Security Research & Defense posted on March 1, 2010, reveals that the vulnerability allows a specially crafted website to reach Windows Help files via IE with the help of VBScript. When the attack occurs, a pop-up emerges. This message prompts the user to press F1 which is necessary for the attack's completion.

The US-CERT states that a web-page, a file attachment in e-mail, or an e-mail based on HTML can trigger the attack provided the file is displayed through IE. Often the browser is used for delivering HTML for other software despite the invisibility of the normal IE window. Although Windows Server 2003 is affected with the flaw, the default setting of IE lessens the threat. However, the flaw doesn't affect Windows 7, Vista and 2008.

A proof-of-concept has been released. Nevertheless, Microsoft said - neither an attack has been reported which exploits the flaw, nor any customer has been impacted till date.

Meanwhile, the Redmond-based company criticized security experts because they seemingly didn't approach it with the problem. The criticism was posted on the March 1, 2010 advisory.

It is said that Microsoft was disturbed that the new flaw wasn't responsibly revealed, leaving computer users in danger. In fact, the company kept on supporting that security professionals needed to responsibly reveal flaws. The Company believed that reporting flaws straight to a security company was beneficial to everyone. The practice assisted in making sure that customers got high-quality and comprehensive security updates regarding software flaws during the process of the update's preparation, the advisory concluded.

Although Microsoft hasn't specified the time when it'll issue a patch, the likely period is April or May when an IE update will be released.

Related article: Microsoft Patches Live OneCare to Tackle Quarantined E-Mails

» SPAMfighter News - 3/8/2010