Wednesday, March 3, 2010

1840...Windows XP users: Don't press F1

This is straight from Christopher Null and Yahoo News Canada:

If you're browsing the web today and see a notice that you should press the
F1 key (the traditional button used to get "help" in any application), don't do
it.


Microsoft is warning of a brand new exploit that can cause computers
running Windows XP and using the Internet Explorer web browser to become
infected with malware at the push of a button: Specifically, the F1
button.


The flaw is part of the way Visual Basic and Windows Help are
implemented within IE, the upshot being that a clever hacker can code a dialog
box that will allow the running of any code the hacker wants. Traditionally this
means installing any kind of malware or virus on the victim's PC that a hacker
desires.


The good news is that this exploit isn't extremely dangerous because
it does require user interaction to install itself. Unlike some recent exploits,
merely visiting an infected website won't cause harm to your computer: You
actually have to "push a button" to be affected.


The bad news is that the F1 button has always been seen as harmless, more so than simply clicking "OK" on the average prompt you might see. When dismissed, the prompt can also be coded to pop up repeatedly, so getting rid of it might not be simple.


Microsoft is advising users that, until a patch can be written and released, users are
advised not to press the F1 key while web browsing. No matter how many pop-ups
and alerts a user receives, as long as F1 is not pressed this attack will not succeed.


Microsoft has not announced a timeline for the fix, but its next patch release is due on March 9. Hang tight, but don't ask for "help."

Of course you don't know how badly I want to press F1 this very second; how about you?

WFDS

No comments:

Post a Comment