Wednesday, March 3, 2010

XP users: don't use the F1 key when surfing with Internet Explorer

There's a nasty VBScript security bug around how IE interacts with Windows Help:
Microsoft told Windows XP users today not to press the F1 key when prompted by a Web site, as part of its reaction to an unpatched vulnerability that hackers could exploit to hijack PCs running Internet Explorer (IE).
In a security advisory issued late Monday, Microsoft confirmed the unpatched bug in VBScript that Polish researcher Maurycy Prodeus had revealed Friday, offered more information on the flaw and provided some advice on how to protect PCs until a patch shipped.
"The vulnerability exists in the way that VBScript interacts with Windows Help files when using Internet Explorer," read the advisory. "If a malicious Web site displayed a specially crafted dialog box and a user pressed the F1 key, arbitrary code could be executed in the security context of the currently logged-on user."
Executing arbitrary code is the name of the game. Write don't press me in red letters, and tape it on the F1 key, if you're running XP and using IE. Sitemeter tells me that over half of you are XP users, and 40% are still on IE, so a word to the wise.

This is likely to be fixed in the next Patch Tuesday update, but remember that XP is almost ten years old, and Microsoft may stop releasing security patches for it in a year or so. You might want to start planning an upgrade - I quite like Ubuntu Linux. The kids just migrated there from the Windows 7 beta, and seem quite happy with it.

7 comments:

soulful sepulcher said...

That would be great if MrsBP wrote a post about it, because ppl like me who just cannot find patience for this stuff, and waiting for downloads etc! maybe she can convince me!

GreyBeard said...

I hate to get even more depending on Google, but what about Google's Chrome? (on XP)
I used to play with Ubuntu a lot when I was working, but now a day's (retired 4 years) I'm not sure I want to put the time into changing operating systems. :-(
Maybe with MS tries to force me to Windows 7 or something.
Speaking of other operating systems, I just remember that I have an old copy of VMware on my PC someplace, I suppose I could fire it up and play around with the newer version of Ubuntu.

Borepatch said...

I'll show her your comment, Stephany. Unlike me, she doesn't like to mess around with stuff, she just wants to get on the 'net.

GreyBeard, I recommend that people move to Firefox. It's much more secure than IE 6 or 7, and has a much faster update mechanism than IE 8. For now, XP isn't the problem. Your idea of playing with Ubuntu in VMWare is a good one, although you can download a liveCD image direct from the Ubuntu site. Boot into the liveCD, and you can try it, without replacing your current Windows.

Matter of fact, if you like Ubuntu, you can keep XP around as a VMWare image running under Ubuntu.

elmo iscariot said...

The only thing I didn't love about switching to Ubuntu was how it turned my printer into a paperweight.

Apart from that, the install was amazingly painless, and retraining myself wasn't hard.

Best antivirus software _evar_.

BobG said...

People still use IE? Whatever for?

wolfwalker said...

Well, let's see. I don't use MSIE. I never press F1 for help; I go through the Help menu. So I don't think I need to worry much about this bug.

On switching to Ubuntu: love to, but

a) I use too many windows-only programs; and

b) all the manual tweaking that Linux requires would drive me nuts. When I plug in a flashdrive or a cardreader, or turn on my laptop's wireless, I want it to WORK -- first time, every time, hot-swappable, no manual mounting or dismounting or other mucking-about involved.

Borepatch said...

Best antivirus software _evar_.

Elmo, heh.

Bob, Sitemeter tells me there's a lot still left. Especially IE7, which is a real security problem (IE 8 much less so).

Wolfwalker, haven't tried a cardreader, but I've never not been able to read a flash drive. But I understand about apps that only run on Windows. iTunes was the big challenge here - Mac and Windows only.