Sunday, March 07, 2010

Windows XP users: Don't press F1

If you're browsing the web today and see a notice that you should press the F1 key (the traditional button used to get "help" in any application), don't do it.

Microsoft is warning of a brand new exploit that can cause computers running Windows XP and using the Internet Explorer web browser to become infected with malware at the push of a button: Specifically, the F1 button.

The flaw is part of the way Visual Basic and Windows Help are implemented within IE, the upshot being that a clever hacker can code a dialog box that will allow the running of any code the hacker wants. Traditionally this means installing any kind of malware or virus on the victim's PC that a hacker desires.

The good news is that this exploit isn't extremely dangerous because it does require user interaction to install itself. Unlike some recent exploits, merely visiting an infected website won't cause harm to your computer: You actually have to "push a button" to be affected.

The bad news is that the F1 button has always been seen as harmless, more so than simply clicking "OK" on the average prompt you might see. When dismissed, the prompt can also be coded to pop up repeatedly, so getting rid of it might not be simple.

Microsoft is advising users that, until a patch can be written and released, users are advised not to press the F1 key while web browsing. No matter how many pop-ups and alerts a user receives, as long as F1 is not pressed this attack will not succeed.

Microsoft has not announced a timeline for the fix, but its next patch release is due on March 9. Hang tight, but don't ask for "help."

No comments: