Slashdot Mirror
Microsoft Says, Don't Press the F1 Key In XP
Ian Lamont writes "Microsoft has issued a security advisory warning users not to press the F1 key in Windows XP, owing to an unpatched bug in VBScript discovered by Polish researcher Maurycy Prodeus. The security advisory says that the vulnerability relates to the way VBScript interacts with Windows Help files when using Internet Explorer, and could be triggered by a user pressing the F1 key after visiting a malicious Web site using a specially crafted dialog box."
As long as CTRL-ALT-DELETE still works we're golden.
F1rst
This is yet another reason why MS' idea of a tax to deal with malware tax is stupid.
Just leave your windows box off, you'll be doing us all a favor...
You cannot warp because you are warp scrambled.
F1!
I need somebody!
F1!
Not just anybody!
F1!
You know I need someone!
F1!
How about, don't hit F8 for "I Agree" to the XP EULA?
Does that protect me?
... try to F1 (if you know what I mean) ..he he.... he
Any XP user still using Internet explorer probably hasn't a clue that F1 does anything at all.
Sig Battery depleted. Reverting to safe mode.
F1 is now FU! (originally from BOL chatroom)
I find the idea that Microsoft is angry at the people who found a problem in Microsoft software not telling Microsoft about it hilarious.
"Maybe this world is another planet's hell"
Aldous Huxley
F1 in Windows, Office or MSIE has never caused any useful information to be displayed, so why would anyone ever press it in the first place?
This won't affect anybody: those users that aren't very computer literate don't even know that help exists and is one key away... the other ones already know that windows help won't lead you anywhere!
"Microsoft is concerned that this new report of a vulnerability was not responsibly disclosed, potentially putting computer users at risk. We continue to encourage responsible disclosure of vulnerabilities. We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone's best interests. This practice helps to ensure that customers receive comprehensive, high-quality updates for security vulnerabilities without exposure to malicious attackers while the update is being developed."
Call me a cynic, but I've got to be honest: The net effect may be positive, but I don't believe that Microsoft's idea of 'responsible disclosure' results in high priority investigation and timely patching of MS products.
I tried it and got a Firefox friendly help tab. F1 is the second most annoying key.
What you really don't want to press is that cursed, evil POWER key. You know, when you're trying to find the Page Up ke
Most users rarely use the F1 key for its intended purpose: to get help on whichever application they're fumbling through and instead just ask the nearest person to them who "knows a lot about computers" for help. So, the risk here is probably pretty small.
Given the quality of the F1-contents these days, especially in MS apps, that's not such a bad advice - google instead.
The security advisory says the problem has to do with the way Internet Explorer interacts with the help system. Does anyone know if Firefox users are vulnerable?
If I can be modded down for being a troll, can I be modded up for being an orc, or a balrog?
One way to avoid security problems is to also avoid the "ON" button.
This is ucking ridiculous. I'm a ullerene chemist, or uck's sake!
I find it fascinating just how long everyone has been putting up with the crap attitude towards security involving windows. Internet explorer has been the biggest wastes of disk space since there have been alternatives out there and it's amazing to me how many bone-headed people and developers are still insisting on using it. Microsoft must be very proud of itself.
boycott slashdot February 10th - 17th check out: altSlashdot.org
press F1 to continue.
He's right. AutoHotkey is excellent. Change any key to anything else, or to a sequence of keystrokes.
We're sunk! What happens someone finally figures out the space bar hack?
than to tell people not to do it. Call it fatalism.
...you're not losing all that much.
How many people were still using 3.1 in 2002? If you're still using XP at this point you deserve every problem you get.
*The most erroneous stories are those we think we know best - and therefore never scrutinize or question.*
Don't press the F1 key in XP after running Internet Explorer ... unless it's Wednesday, a third Tuesday of the month, or the moon is Gibbous. A browser should NOT be so integrated to the operating system to allow this sort of behavior!
I'll have to stop missing the ESC and ~ key!
Most annoying thing: press F1 in a software like Visual Studio and have to wait 5 minutes for it to refresh online help.
Can I change another key to be the any key? I can never find that darn thing.
AutoHotkey has its own free editor with syntax highlighting.
.EXE files.
I just checked. My AutoHotkey script is 1,639 lines, 52,140 bytes. That doesn't include the special scripts.
The source code is available, as is a GUI creator.
The AutoHotkey programming language is quirky.
AutoIt has a more standard language. AutoIt is better for complex automated installation scripts, for example. AutoHotkey is better for hotkeys. Both offer compilation of their scripts to
Like windows users know what the F1 key is..or how to help themselves. That's why they use windows to begin with.
Suddenly get the urge to press the F1 key?
http://wwww.zerospeaks.com
More importantly, is there a way to disable F1 in Windows? I can't tell you how many times I've accidentally hit it when trying to hit Esc.
Start using Emacs.
In the old days you actually had to THINK to figure out how to do something on the PC. Real actual honest to god research and thinkin about something. No foolin!
In the old days the bad guys actually had to THINK to figure out how to pwn a PC. Real actual honest to god research and thinkin about something. No foolin!
Needless to say, I turned down the job offer. It doesn't surprise me how they keep making flub ups like this when the people at their company are so arrogant.
My shitty tech blog posted something relevant to your interests.
You better watch out, there may be dogs about . .
Microsoft admits that their 'Help' is harmful.
All your database are belong to U.S.
Due to AHK's quirkiness (limitations + my ignorance) I intermingle python/bash scripts with autohotkey.
You better watch out, there may be dogs about . .
I never hit F1. I've found windows help to be absolutely useless.
I hit F1 by accident at least once a day trying for the Esc key.
Oh no! Malware has taken over my computer! I need help! Let's see... don't panic... finding help...
*F1*
OK then. Finally! Here we go. Wha...? Malware again? Damn! Why does this keep happening?
*F1* *F1* *F1* ... Oh come on!
F1ck Microsoft.
Say hello to my little sig.
http://vbox7.com/play:3b327f9e
It's the history eraser button, you fool!
.. than to tell everyone NOT to press a key most people probably barely registered the existence of up until now?
(and yes, I just hit F1 consciously for the first time in my life after reading this)
Speak with a Windows Developer to learn about the power of "Help" and amazing things it can do. Remember, VBScript is there so it can be exploited. It can also launch apps, you can even embed registry files to help files (saw pc pitstop did it, in white hat way.
They never sit and think why the hell that exploit exists, they just want to release 10002020th patch for a broken thing.
(Obviously, Apple is so lame and old fashioned to stick with plain html files)
If that Polish researcher sold the exploit to black hat mafia for 1M dollars and it took months to figure the cause of a ILOVEYOU sized infection, they would see what irresponsible is. Remember, ILOVEYOU was coded for lame reasons and show off... These days, worms are coded for huge black hat economy nobody dares to predict.
Wouldn't it be simpler just to use a different browser? geez - they could have pointed that out in the FA. I was about to add a comment to that effect there - then I saw, written above the comment box "Sponsored by Microsoft". I guess that's why they didn't recommend trying a different browser...
It doesn't sound great for publicity but, Firefox/Opera/Safari developers should really educate newbies telling they _still have to have windows security updates_ whether they use IE or not.
It is a core part of OS they are running and it will stay for a long time. I saw many people who doesn't update windows just because they use Firefox. Some rare cases, they didn't even have antivirus installed.
OS X scene isn't that horrible yet but for Windows, not having security updates is really crazy unless you are on a isolated/secured/mission critical machine.
Also, if you type "google" into google, you can break the internet so don't do it, even as a joke.
The stock command coming with XP can convert FAT32 to NTFS in matter of minutes. I guess it would take seconds if it didn't do a chkdsk internally. Now, instead of all that trivial junk being told to user while installing Windows XP, MS could say "We introduce a new filesystem with Windows XP, it is faster, more reliable and has more features. It also makes checking disk needless." with "Convert my startup drive to NTFS" checkmark selected.
That time, users would move to NTFS and no, they would still have no clue about the filesystem they run. So, for 8 years, everyone could be running some kind of modern filesystem rather than something designed for DISKETTES.
Apple did it when they were absolutely sure journaling doesn't create problems for 99.999% of users, with couple of clever UI tricks, they made sure everyone enabled journaling. They still do the similar tricks to prevent users easily disable journaling (mostly because of FUD on www). I wasn't around on Mac scene when HFS got upgraded to HFS+ but I am sure they did similar tricks to make users move and get rid of archaic filesystems.
Can I change another key to be the any key? I can never find that darn thing.
You can't find it because it's sold separately. How the heck have you been using your computer all this time without one?
Can I change another key to be the any key? I can never find that darn thing.
Yep, AutoHotkey supports this. In fact, if you're feeling wild, you can bind every key to it!
Especially with XP, the last version of Windows that allows you to nuke absolutely every service, disabling help is one of the first things I do.
I scream. You scream. I assume that means we're both acquainted with the problem. We proceed.
Pressing F1 opens the seventh seal.
Wouldn't it have just been better to say, "Oh my, bad car analogy" and call it a day?
--
Toro
Whenever I had to admin a windows network, this is the one goddamn key I wish my users would have hit before picking up the phone.
And now they won't because they don't want to get virus?
I mean, I don't really care any more since I support Linux, but, shit man, I feel bad. That's just not right.
You're welcome.
Best way to stay trouble free on Windows? Don't use IE. Or Outlook. Or IIS.
150 Opening BINARY mode data connection for slashdot.sig (129323052 bytes).
Man, And I was just about to play F1... Good save. ;)
You idiots this is only for IE6 on malware sites.
That's going to equate to almost no one. Yet since it's Microsoft the Linux zealots are out in full force.
Get over it.
We need to tax the internet to fund schools to teach people not to press F1!
Just don't press the 'Power' button on a Windows system and all will be well.
Have gnu, will travel.
"The security advisory says that the vulnerability relates to the way VBScript interacts with Windows Help files when using Internet Explorer, and could be triggered by a user pressing the F1 key after visiting a malicious Web site using a specially crafted dialog box." ... except on Tuesdays.
If you are running XP and pressed the key just to see what would happen. Raise both hands if you are running 7 OSX and/or Linux and are pressing the key like mad just to rub it in to those who can't.
I'm sorry, I'm to tired to be witty at the moment so this message will have to do.
Go here. Comes complete with a Panic Button too. http://abernook.com/prod/Panic-Button-Gift-Set.asp?source=froogle
I'm sorry, I'm to tired to be witty at the moment so this message will have to do.
Polish guy that invented powdered water, screen doors in submarines and ejection seats in helicopters; I just know it.
It looks like this.
help tax Scott Charney?
"I believe in Karma. That means I can do bad things to people all day long and I assume they deserve it." : Dogbert
But I run windows??? I never need to press a key to get a kernel panic...
I have a small utility running that toggles the "Keep On Top" state of the current window. I chose F1 as the key for this since it is the key I otherwise use least. Since it is set up as a global shortcut, so the F1 help problem is no problem here ;-)
If my calculations are correct, it should be sometime around 2007 for whomever is reading this. DO NOT USE THIS BUTTON. Something... happens with it. Something came through, something from somewhere else. We were overrun in days, not many of us are left. WE LIVE UNDERGROUND! ONLY YOU CAN STOP IT NOW. SAVE US. DO NOT USE THIS BUTTON !
What's Windows XP?
> Just to finish up, consider what happened on OSX with pirated copies of iWorks.
:)
well, if you go deeper into matter, it seems, it was a trial installer of iWorks, not a pirated full version. Since pirating is used in terms of downloading software you normally have to buy, I would not call it pirated.
There is a similar story about fraud, using an advertisement to download openoffice offering dialers or payed subscriptions for the download. Also that OpenOffice you download there is not really pirated, now is it? (worst thing: that fraud is even legal).
Of course I could be wrong, but http://blog.notahat.com/posts/28 tells me, its a trial installer.
I dont own an apple, so it could be that the trial installer is also the full version you have to enter a code into, and the "pirated" copy had a registration key or crack in bundle.
But there are millions of sites offering downloads of whatever, like directX. It would be easy thing to extend it with a virus, which is kinda your point.
Was just the word "pirated" that somehow irritated me
From the article:
By Prodeus' account, he notified Microsoft of the flaw Feb. 1, about four weeks before publishing his findings.
Pressing F1 accidently
Until Feb 2010: "Nooo! Not the f.. Indexing! I wanted to..." *SLAM* -> primary feeling is anger.
From Feb 2010: "Nooo! Have mercy!" -> primary feeling is fear.
MS just healed one of the two major choleric computer users' psychological triggers, now they only have to replace the Don't send or send Error report popup with a virus, too.
Being transformed by fear to my new tyrant, I SHALL GUARD MY F1 BUTTON WITH MY MOUSE+1! YOU SHALL NOT PRESS!
If my calculations are correct, it should be sometime around 2007 for whomever is reading this. DO NOT USE THIS KEY. Something... happens with them. Something came through, something from somewhere else. We were overrun in days, not many of us are left. WE LIVE UNDERGROUND! ONLY YOU CAN STOP IT NOW. SAVE US. DO NOT USE THIS KEY!.
:D
The help system in Windows XP was pretty good. It saved me several minutes of work, sadly the help system in Windows Vista is useless to the degree that I once fired up XP just to search help for something in Vista.
If you are still using XP at this point, who cares? Go for it. Press F1 while running FlashPlayer and Acrobat and IE6 simultaneously. If you gave a shit or had any data worth protecting you'd already be using a Mac or other Unix.
"Don't Touch Me There!"
you are fucking insane. I'm amazed even the craziest Linux hippies are modding up...
Now windows users finally start to RTFM! Great job MS!
Whenever people say that Microsoft products are easy to use, they are conveniently ignoring stuff like this.
And geeks wonder why normal people are intimidated by computers...
http://outcampaign.org/
The F1 key selects the flashbomb in Thief Deadly Shadows which is necessary in any computing environment!
Sorry, but gray text on gray background is making my eyes bleed.
The F1 key threat isn't that bad. It's the power button that creates a real vulnerability.
(((dB)))
The problem is the handling of VBScript in IE. No other browser supports VBScript.
Well that's my method for 'offering remote assistance' screwed then ;-)
just a second.... *hack*hack*haaaaaaack*... there, I changed it to the space bar for you...
The MAFIAA is a bunch of mindless jerks who will be the first up against the wall when the revolution comes
Only a clueless MORON would use IE in the first place. They deserve EVERYTHING they get!!!
Where is this another key you speak of? :x
I guess now I'm going to be getting support calls from people unable to find the "any key except F1" key.
But I run windows??? I never need to press a key to get a kernel panic...
Troll Really? Fuck you Microsoft fanboys... go press your F1 key a couple times...
just dont hit any key on your winderz PC.. Youll Be safe then.
the good news is that this does not effect Windows 7. Thank goodness... all we need to do now is upgrade all our office computers to Windows 7. And at the current market price for Windows 7... why wouldn't we want to upgrade to this obviously secure and definitely more powerful windows experience? I mean, we could wait for a fix to Win XP... but why wait? At these prices and with all those benefits MS told me about. Combine that with all the happy experiences I see from those PC people on TV saying how it was "there idea". In a way, I'm actually glad this happened. Now we can finally get around to buying this new software I know that we must need in order to "keep with the times".
I sure hope they come out with Win 8 (tm) soon after our upgrades are complete. I cant wait to see how secure that one is in relation to Win7. You can't even imagine. I bet it has security fixes for malware that isn't even written yet.
In the meantime, I guess I will just have to turn off popups, disable VBScript, uninstall IE, overwrite the Win XP O/S and pop out the F1 key for good measure. I'm sure my Internet experience will be safe after that.
Note: I am not associate with MS. These opinions are entirely my own. I wasn't even paid indirectly through microsoft to say this... so don't even bother checking.
Well that f***s my workflow. The main audio editing software at work uses F1 for marking the start of a crop. Yes, I could click it, but really, scrubbing and marking on the function keys is quicker by a country mile. 10 eidts/minute, cut and checked, on function keys, 2/minute via mouse.
Of course, the effwits who choose our software won't upgrade us to Doze 7 for 2 years. And they wonder why I use a Mac at home.
I couldn't help myself *grins*
Dave
Our lives begin to end the day we become silent about things that matter. --Martin Luther King Jr.
Dear costumer base...
Please refrain from pressing the space bar, the Enter key and Delete button as a major exploit has been found in Windows XP and we have no idea how to fix it. Not pressing the latter buttons will allow you to continue using our feature full product at it's full extent.
Thank you
Microsucks
"Your bucks stop here"