Sometimes Getting Help Only Makes Things Worse – Microsoft Confirms F1 Vuln In IE
Microsoft has confirmed a bug in Internet Explorer in which, if you visit a malicious website, and then press the F1 key for help, the malicious website can use VBScript to execute code on your machine. It’s a potentially disastrous vulnerability, but one fairly well mitigated by the fact that hardly anyone really needs help using the internet. Without the user opening up Internet Explorer’s help file, this particular security hole is no threat at all.
Further mitigating this remote execution IE vuln is that only versions of Windows which support IE’s Enhanced Security Configuration are affected. Meaning that Windows 2000 (Win2K), Windows XP (WinXP), and Windows Server 2003 are vulnerable. Where as Windows Vista, Windows 7, and Windows Server 2008 are not. At least not typically. Whether or not the Enhanced Security Configuration can be turned off, and if anyone has actually done this is another matter.
When we’ll ever see a fix, that’s anyone’s guess. In the mean time, just don’t press F1 while using Internet Explorer. Especially if a website tells you to.
Aw, heck, who are we kidding? Just don’t use Internet Explorer!
