Skip to main content
  1. Home
  2. Computing
  3. News

Microsoft to XP Users: Don’t Press F1

Geoff Duncan
By
Image used with permission by copyright holder

On the heels of a Google engineer finding a security vulnerability that had been lurking in Microsoft Windows’ Virtual DOS Machine for 17 years, another doozy has turned up: Microsoft has issued a security advisory for Windows 2000, Windows XP, and Windows Server 2003 that just pressing the F1 key—you know, for help—while using Internet Explorer could trigger a VBScript vulnerability that could enable attackers to take over the machine.

“The vulnerability exists in the way that VBScript interacts with Windows Help files when using Internet Explorer,” Microsoft wrote in the advisory. “If a malicious Web site displayed a specially crafted dialog box and a user pressed the F1 key, arbitrary code could be executed in the security context of the currently logged-on user.”

Recommended Videos

In theory, the flaw could be exploited by attackers passing malware disguised as a Windows Help (“.hlp“) file. Exploiting the issue does require that the attackers somehow convince users to press the F1 key to trigger the vulnerability. The flaw impacts Internet Explorer 6, 7, and 8 on the affected operating systems; Windows Vista and Windows 7 are not vulnerable.

Related

“As an interim workaround, users are advised to avoid pressing F1 on dialogs presented from Web pages or other Internet content,” said Microsoft Security Response Center’s David Ross, in a Technet blog post.

Microsoft has expressed dismay that the vulnerability was made public before a patch could be developed and deployed to mitigate the risk. Typically, security researchers report flaws to vendors privately so a workaround can be tested and released before announcing the flaw to the broader world where attackers and cybercriminals might move quickly to exploit it.

Editors' Recommendations

Topics
Geoff Duncan
Geoff Duncan
Former Digital Trends Contributor
Geoff Duncan writes, programs, edits, plays music, and delights in making software misbehave. He's probably the only member…
Europe just suffered its worst DDoS attack ever, but we don’t know why
A depiction of a hacker breaking into a system via the use of code.

A record-breaking distributed denial-of-service (DDoS) attack situated within Europe was attempted during July, a new report has confirmed, but the lack of details on the target leaves the motive undetermined.

The largest DDoS attack ever detected in European-based regions was revealed by cybersecurity and cloud service firm Akamai, who said the target was one of its own customers.

Read more
How to turn off PIN on Windows if you don’t need the added security
heres whats coming in windows 10 build 11099 hello

Windows Hello is a convenient way to sign in to your Windows 10 or Windows 11 device using a PIN, alongside other biometric options including fingerprint or facial recognition. It is an essential feature, especially if you have kids, live with roommates, or have sensitive information stored on your PC.

But if you are not worried about security or you just find entering a PIN every time you turn on your PC annoying, here is a step-by-step guide on how to turn off PIN on Windows.

Read more
Microsoft Defender finally feels like proper antivirus software for individuals
The Windows Security app in Windows 11.

With password attacks and ransomware on the rise, Microsoft has announced the general availability of Microsoft Defender for individuals, a premium, cross-platform, consumer security application for Windows, Android, iOS, and Mac.

Available for paid Microsoft 365 Personal and Family subscribers, this new security offering from Microsoft is the latest step in a journey to bring its security features to all of its users. Building on what's been done with the Windows Security app on Windows, Microsoft Defender for individuals will bring together multiple protections into a single online dashboard.

Read more