Beware the F1 key
How many times have you used a software application that tells you to press the F1 key for help? Up until now, that has been a relatively safe thing to do -- but thanks to malicious software writers, it may not be so safe now. Microsoft has discovered a bug in its Internet Explorer web browser, which could enable a malicious Web site to take control of your system with a single keystroke.
The vulnerability stems from the way that Microsoft's VBScript -- a programming language used to make the browser do various things -- interacts with Microsoft Windows Help files. If an attacker crafts a dialog box to be displayed by a webpage, and includes certain commands in it written using VBScript, then when the user presses F1 (as instructed by the dialog box), the browser can be used to execute the attacker's malicious code on the victim's computer. What this means in practice is that if you hit the F1 key because a website tells you to, then you could be infected with a virus, and joined to a botnet.
So, what can you do to avoid being hit by this attack? The obvious and easiest solution is not to press the F1 key if instructed to do so by a website. However, Microsoft advises other workarounds that might give you more protection if, for example, someone else in your family gets caught out by the attack while using your computer. It provides instructions on how to set your Internet and local intranet security settings to high, which will disable ActiveX controls and Active Scripting when you are surfing. However, it warns that this could have some unintended side-effects, by stopping you from using the full functionality of other websites that support Active Scripting.
It's important to note that this vulnerability only affects Windows XP, which means that if you are running Windows Vista or Windows 7, then you won't be susceptible to this attack. It represents another reason why it might be time for people to upgrade if they are still using Windows XP. Back in January, a targeted attack called Operation Aurora used a vulnerability in Internet Explorer 6 to exploit Windows XP-based systems. Over 30 companies, including Google and Yahoo, had their computers compromised in what is believed to have been a comprehensive long-term effort to steal intellectual property. As a result, both the German and French governments warned their citizens not to use the browser. Furthermore, Google is discontinuing support for Internet Explorer version 6.
One possible solution for users could be to switch to another browser until Microsoft's latest security problem has been resolved. Google's Chrome has been developed from the ground up with a secure architecture (although Google admits that third-party plug-ins offered as extensions to its system may not be secure). Firefox and Opera are two other browsers that might provide you with alternative options.
However, the truth is that no browser is safe all the time. Most browsers suffer from vulnerabilities. When a 'Zero day' vulnerability is announced for a browser (that is, a security flaw that has not yet been patched), then having multiple browsers installed means that you will always then have the option to switch to another browser until the problem is solved.
This is not the only vulnerability that Internet Explorer has suffered from recently. Another bug, discovered in early February, allows attackers to harvest personal information from a user's computer by getting a victim to visit a malicious Web site.
Danny Bradbury, MSN Tech & Gadgets
Comments
You can follow this conversation by subscribing to the comment feed for this post.
Posted by: FIREFOX | Mar 5, 2010 10:56:41 PM
FIREFOX FTW HAHAHA
Posted by: Phil | Mar 8, 2010 11:03:59 AM
Now the cynical person might think that this is MSN's way of forcing everyone to upgrade to Windows 7...but, nah, they wouldn't be that callous and manipulative....would they? lol