Microsoft Says, Don't Press the F1 Key In XP

Ian Lamont writes "Microsoft has issued a security advisory warning users not to press the F1 key in Windows XP, owing to an unpatched bug in VBScript discovered by Polish researcher Maurycy Prodeus. The security advisory says that the vulnerability relates to the way VBScript interacts with Windows Help files when using Internet Explorer, and could be triggered by a user pressing the F1 key after visiting a malicious Web site using a specially crafted dialog box."

Yet another reason

[Dracos]

This is yet another reason why MS' idea of a tax to deal with malware tax is stupid.

Re:Yet another reason

This is yet another reason why MS' idea of a tax to deal with malware tax is stupid.

It's almost amusing that a Web browser is so tightly integrated with the operating system that scripts run by it can influence core system functions without actually rooting the machine. I guess this is what happens when you ignore decades of computer security history and discard the principle of least-privilege. Hopefully Windows 7 (and Vista) is not defective enough to allow a userspace application to screw around with a built-in OS function like help files.

Look, if we're honest, the only reason why IE is so tightly integrated with the OS in the first place is because Microsoft wanted to abuse its desktop OS monopoly by using it to dominate the browser market. If not for that, IE would be a standalone browser and would be separate from any built-in HTML rendering that's part of the core Windows system, like help files in this case. This is one reason why I use Linux: Microsoft obviously cares about its marketshare more than my security, and I cannot in good conscience use my money to support a company with such backwards priorities. I'm sure someone will chime in with talk about how useful Windows is, and I won't argue (much) with that.

This is really a moral issue. Anyone with decent principles wouldn't want to reward a company with such questionable business practices, not even if they made the finest software available. I'm sure the rest of you who don't have such principles will have a million excuses for why you continue to support Microsoft with your wallets, and that's fine. Every dishonest organization has its useful idiots without which it could not continue existing.

Re:Yet another reason

[shutdown+-p+now]

You do realize that KDE, for example, also uses the same HTML component - KHTML - for both its standalone browser, and help system (and many other things)? I'd expect OS X to do the same with WebKit. Gnome is different, but mainly because of the mess they made with GtkHTML vs Gecko vs WebKit; the long-term plan, as I understand, is still to migrate to WebKit for everything.

It's also purely a matter of practicality - I mean, why would you have two distinct HTML renderers?

Re:Yet another reason

[shutdown+-p+now]

Quality-wise it's clearly a defect, but GP was ranting about it from some moral "evil monopoly" perspective.

Re:Yet another reason

[shutdown+-p+now]

You do realise that KDE and Gnome are not operating systems? "OS X" is also not an operating system in the typical sense of the word; it has Darwin [wikipedia.org] under the covers, responsible for managing all the hardware and important functions like permissions, ensuring that the core system can't be hosed when an rogue application is somehow allowed to be run as a user.

Guess what? Windows works in exact same way. There's the kernel there, then a set of userland APIs on top of then, then the UI layer, and finally the actual DE. Just because they are shipped in a single box, and aren't explicitly marked as separate, and given funny-sounding names, doesn't mean they aren't there.

Do you seriously think that NT kernel somehow uses IE under covers?

It is comforting to know that if something goes wrong on Linux or OS X (or similar), that the problem is almost always limited to only a single 'user' account

It depends on your definition of "something goes wrong". A privilege escalation exploit has the same problems on any OS, and without one you can't break the system on modern Windows versions (speaking of which, note how Vista/7 aren't vulnerable in this case), either - user account security is not fundamentally different in NT compared to Unix.

Oh, and this isn't what is usually understood by a privilege escalation vulnerability - it doesn't give you root or anything. It's rather a sandbox breakage - scripts which should be executing in a browser sandbox "leak out", and run with all privileges of the user interacting with the machine.

Re:Yet another reason

[Bigjeff5]

Look, if we're completely full of shit, the only reason why IE is so tightly integrated with the OS in the first place is because Microsoft wanted to abuse its desktop OS monopoly by using it to dominate the browser market.

There, fixed that for you.

IE was originally just an extension of Windows Explorer to browse the web and read HTML. It was literally a small app that pointed to a few new dlls and a whole lot of dlls that were already there. Explorer already processed files for Windows, and HTML was basically just a text file that needed processing. The simple solution? Add a dll and an app to call it, and let Explorer do the rest. Remember IE was born when the internet was practically nothing, almost everyone used AOL or Prodigy or some other service, and they all had their own browsers. IE was more of an "Eh, it could be useful" add on for Windows. As such it didn't warrant investing a lot of time and effort into a separate app, especially when most of the functionality needed was already there.

The reason IE is integrated so tightly with the OS is because it is an offshoot of the OS, that's how it came about. It's like pointing to a branch and saying "Lets be honest, the only reason the branch is so tightly integrated into the tree in the first place is because the tree wanted to dominate the branch market. If not for that, the branch would be a standalone standalone plant and would be separate from any built-in circulatory system that's part of the core tree, like the roots." Any dumbass can see the branch came FROM the tree, and is used extensively by the tree to improve its ability to live.

Browsers that started as completely separate entities obviously don't have this problem, but Internet Explorer did not start this way. On the one hand it has helped them gain dominance in the browser market (and really, had it been a separate program they would still have the dominance, integration has nothing to do with that, inclusion with the OS does). On the other hand, being so tightly bound into core OS functions has led to a lot of security issues over the years, which has hurt their position in the browser market.

Only MSIE users

[icebike]

Any XP user still using Internet explorer probably hasn't a clue that F1 does anything at all.

MS was concerned about how this was exposed?

[Meshach]

From TFA:

Microsoft is concerned that this new report of a vulnerability was not responsibly disclosed, potentially putting computer users at risk. We continue to encourage responsible disclosure of vulnerabilities. We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone's best interests. This practice helps to ensure that customers receive comprehensive, high-quality updates for security vulnerabilities without exposure to malicious attackers while the update is being developed.

I find the idea that Microsoft is angry at the people who found a problem in Microsoft software not telling Microsoft about it hilarious.

Re:MS was concerned about how this was exposed?

[timeOday]

Angry or not angry, the point is that disclosing security bugs directly to the vendor first minimizes harm to end users - assuming, that is, the vendor feels sufficiently motivated to fix the bug. You can't argue that "security researchers" who sell 0-day vulnerabilities on the black market are helping anybody but themselves (not that Prodeus fits this description).

Re:MS was concerned about how this was exposed?

[causality]

Angry or not angry, the point is that disclosing security bugs directly to the vendor first minimizes harm to end users - assuming, that is, the vendor feels sufficiently motivated to fix the bug. You can't argue that "security researchers" who sell 0-day vulnerabilities on the black market are helping anybody but themselves (not that Prodeus fits this description).

I frequently hear this type of reasoning. It should be listed as a known/cataloged talking point so we can all absorb it once and move on, instead of seeing it rehashed every time this sort of discussion comes up. Sorry but old and well-worn arguments aren't contributing much. They don't have much power to convince anyone who doesn't already subscribe to that viewpoint.

What I don't hear so much about is the incentive provided by full public disclosure. If you know that security vulnerabilities will be disclosed to the public, that this will result in security problems for your customers, that it will cause public humiliation for your company, is this not a strong incentive to secure your software in the first place? Confidential disclosure to the vendor only seems like it lets them off the hook a bit too easily. I'd normally be slow to view it that way, but Microsoft has a long history of such problems despite having tremendous resources it could dedicate to proactively eliminating them. They have the expertise, they have the money, they have the ability; what they lack is the will. There's simply no excuse for allowing a browser to influence bulilt-in OS functions. I view this more like negligence on Microsoft's part and less like an unforeseeable event that could have happened to any vendor.

As far as causing the least harm to the end users, should we be concerned about this in the long run? In the short term this can be quite unpleasant, and I don't enjoy the idea that someone who just wants to get their work done might have problems because of something beyond their immediate control. But it's not entirely beyond their control. Microsoft could not possibly exist were it not for the users who purchase its products.

When its products malfunction in preventable ways, they make the Internet a worse palce for everyone. I may run a relatively secure *nix machine, but I can still receive spam e-mail delivered by compromised Windows machines. So can everyone else. Since the situation could not possibly exist if not for Microsoft's users, is it really an injustice that they catch some flak when the entity they keep financially supporting fails to do its job? If they dislike this, should they not be a bit more careful about how they vote with their wallets and for whom they vote? I know the victim mentality is popular these days, but if you either know or could have known what you're dealing with, and continue to behave as though you do not and cannot know, should you cry fowl when there are negative consequences?

Microsoft has a long history of problems like this. Anyone who deals with them and doesn't know that has simply failed to do their homework. The real "accomplishment" of Microsoft is that they, through their widespread presence, have convinced the general public that exploits, malware, and other security problems are a normal part of operating a computer. I'm not claiming that Microsoft's products are without merit; if they were, even the non-technical masses would not use them. I am merely skeptical of any notion that their positive contributions to this industry have outweighed their business practices and their negative contributions to this industry.

Re:MS was concerned about how this was exposed?

[causality]

Sheesh, blah blah blah. What your parent said isn't a talking point. His point was much better than yours in less words. All a researcher has to do is notify MS. Give them a reasonable amount of time that you clearly specify(say a month) and then publicly disclose it. Your disdain of MS shouldn't erode your common sense.

You have failed to address the issue I raised.

If its users were more discriminating and more willing to expect quality, I would have no reason to disdain MS. You act like any disdain on my part is an opinion or a matter of taste, and not like MS has soundly earned it.

Microsoft is a business. That means they will tend to do whatever makes them the most profit. If selling garbage makes profit for them, then they will sell garbage. If no one is willing to buy garbage, then they will be forced to sell quality. Therefore, Microsoft does whatever its paying customers are willing to put up with.

The point I raise, to restate it for you, is that this multibillion-dollar company with many highly skilled employees has both the expertise and the resources to design their systems in such a way that they do not suffer such vulnerabilities. They don't do this because they can profit without doing this; therefore, why would they go to the trouble when more effort means more expense? They can profit without doing this because their paying customers will tolerate insecure products. They think malware and other system compromises are an inherent aspect of owning a computer. If people who hold this false belief and use their money to support a vendor which caters to this false belief suffer because of this false belief, why should that trouble the rest of us? Are they not reaping what they sow?

Those of you who believe in confidential, discreet disclosure are implying that the effects on the customers should trouble the rest of us. I'm willing to entertain the idea, but to do that I need someone to tell me why Microsoft's customers are not merely reaping what they have sown. You have not addressed this. If you would like to, I'm all ears, but attempting to tell me that Microsoft's security history is irrelevant, that it's unfair to consider its business practices and priorities, or that I should ignore the fact that they have both the knowledge and the resources to deliver more secure products will never work with me. Please save that and your "blah blah blah" handwaving for the pushovers who are impressed by your assertions. As for me, I deal in facts.

Again, if you would like to actually address any of the issues I have raised, I'm all ears. The fact that you dislike my opinions has been noted, but does not constitute a worthy response.

Re:MS was concerned about how this was exposed?

[GNUALMAFUERTE]

Bullshit. When you find a security issue in a piece of Free Software, you feel compelled to fix it. You can fix it and submit the patch (and get the credit for it) without leaving your desktop. Everything is there. do a svn checkout, fix, commit. That's all. People will thank you, and you'll feel great.

When you find a security issue on a microsoft product, you have to:

Find a way to report the bug. You know, it's not simple ... contacting someone in there is impossible. you can send an email and blindly wait for it to be fixed. But behold, if they do take your bug report, they are probably not going to fix it. Wait six months sitting on the bug report. When it becomes public, they'll first sue you for attacking their OS, and most likely win. If you publish the bug on your blog, you'll get threats and DMCA takedown notices. Then, 3 months layer, they'll quietly patch it, with a 200mb security update, that will break 10 other applications, cause every machine to blue screen, and probably introduce 10 new vulnerabilities. 2 Week later, they'll start telling people to NOT install that latest service pack. A year later, the patch will go away due to some other update that fixes it, or some other external agent (like an antivirus software) "fixing" the issue. 5 years later, a brand new version of windows will come out, and the bug will resurface.

And, whatever happens, you won't get any recognition, and windows will still be totally insecure. Microsoft will still make billions out of it.

So, why help? For all I know, the best strategy to a more secure Internet is to let microsoft die ....

Re:MS was concerned about how this was exposed?

[causality]

Computers are insecure. Networked computers are even more insecure. Windows is the low hanging fruit. I know it sounds tired, but if Linux had the same market share as Windows, you'd see the same kind of cat and mouse game going on between security researchers and malware programmers. If you put Ubuntu 9.10 on 80% of computers connected to the internet, and loaded it up with the 10 or so typical apps that people use (word processors, web browsers, Flash, etc), within six months you'd see vulnerabilities popping up left and right.

It does sound "tired" and I appreciate that you are up-front enough to concede this, but in the same spirit I can admit that it's not unreasonable to wonder it. Still, I have a simple issue with this argument. While it has nowhere near the marketshare of Windows, there are still millions of Linux computers connected to the Internet. Compared to Windows, a disproportionately large number of Linux machines are beefy servers with large amounts of bandwidth. If they were as easy to take over as a home user's Windows machine, they would be more attractive targets. Yet there are no successful viruses or other self-replicating malware programs for Linux in the wild. There are proof-of-concept viruses, but they do not propagate on the Internet.

At the end of the day, it's all software running on an x86 processor. All it takes is one lazy coder, one tired QA guy, or one bad library and you have a zero day exploit. Computers need to execute code. You can only run so many checks on any given input. You can only limit the functionality of a module so much before it becomes useless. You can only bug users with "Are you sure you want to run this?" prompts so many times.

My disagreement here is that you don't need to prompt the user or enable any highly exotic verification to prevent the exploit that is the subject of this article. All you need is some decent sandboxing. Yet one of the most powerful, resourceful, and well-staffed software companies in the world failed to implement it for this version of Windows. Something there does not add up.

If you want an idea of a secure operating, turn your web browser security settings to Prompt/Ask. JavaScript, HTML, XML, EVERYTHING set to prompt. Spend a week browsing the web in that configuration. Let me know how you like it.

In my opinion, you are engaging in quite a bit of hyperbole there. On my Linux system, the "help" function (in my case, a part of KDE) is implemented by binary executables that are owned by the root user while readable and executable (but not writable) by the user who is running them. Firefox, which runs in a similar fashion and also has the privileges of my normal non-root user, cannot affect the KDE online help even if it wanted to. This is an example (and not the best one) of the principle of least privilege. Firefox doesn't need to have the power to modify other parts of the system, so it has no such power. Simple.

There's no need for me to enable any extra confirmation dialogs, or anything else in order to achieve this. I simply enjoy it as part of the fundamental design of this operating system. I have a very hard time believing that one of the most well-funded, well-staffed software companies the world has ever seen was not capable of either matching or surpassing this level of robustness. This was already a standard feature of Linux before XP was released. That isn't the sort of "innovation" they keep talking about. It's more like a bad job of playing catch-up now that more recent Windows versions have improved in this area.

Windows is not merely the low-hanging fruit. It's more like the pre-chewed fruit that is already partially digested. Perfect security is of course not possible. But if you want to eliminate all the large botnets and spam networks, that's easy: make Windows security strong enough that automated attacks will not compromise it. Make it

Re:MS was concerned about how this was exposed?

Linux servers on the Internet are very, very differently configured from Linux computers for home use, so I don't think that's a valid comparison. They're also far more likely to have a competent admin monitoring them.

They can, but they won't, and that's my issue with them.

This doesn't repro on Vista, so it's been fixed for over 3 years. They didn't allow free upgrades to Vista, true (and according to lots of slashdotters, they wouldn't have taken it if offerred).

Re:Well, at least the important keys still work.

[gerf]

More importantly, is there a way to disable F1 in Windows? I can't tell you how many times I've accidentally hit it when trying to hit Esc.

Re:Well, at least the important keys still work.

[c++0xFF]

Just now, for the first time in my life, I pressed F1 in Windows on purpose.

Lots of interesting information is in there, and I even learned a few things (I didn't know XP had a private character editor). But I don't know anybody who uses the windows help system on purpose.

Google already provides good help for Windows.

Re:Well, at least the important keys still work.

[Monkeedude1212]

The actually funny part about this is that most users find that they hit F1 triggering help files on accident - Windows help has long such been little to no help at all, offering nothing you didn't already know. Most of the time you are meaning to press F2 to rename something.

Wishful thinking

"Microsoft is concerned that this new report of a vulnerability was not responsibly disclosed, potentially putting computer users at risk. We continue to encourage responsible disclosure of vulnerabilities. We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone's best interests. This practice helps to ensure that customers receive comprehensive, high-quality updates for security vulnerabilities without exposure to malicious attackers while the update is being developed."

Call me a cynic, but I've got to be honest: The net effect may be positive, but I don't believe that Microsoft's idea of 'responsible disclosure' results in high priority investigation and timely patching of MS products.

F1 key?

[shivamib]

I tried it and got a Firefox friendly help tab. F1 is the second most annoying key.

What you really don't want to press is that cursed, evil POWER key. You know, when you're trying to find the Page Up ke

I cannot think of a better way to spread this

[NicknamesAreStupid]

than to tell people not to do it. Call it fatalism.

Having seen the average MS help file...

[Chris+Mattern]

...you're not losing all that much.

Re:Not such a bad advice

[Opportunist]

I have yet to stumble upon a helpful help page in Visual Studio 08. Usually a search with Google ends up faster on a relevant MSDN page than pressing F1 in VS.

Interesting enough, it is also more relevant than a search inside the MSDN or using Bing. You usually do NOT find the same MSDN content as quickly within MSDN or with Bing, but instead get offered pages that try to cram some MS-interface down your throat. Maybe nice if you're programming with that interface, but utterly useless if you're using C++ instead of whatever web-aware magical brewitup crap MS tries to push currently.

Re:Well, at least the important keys still work.

[ls+-la]

More importantly, is there a way to disable F1 in Windows? I can't tell you how many times I've accidentally hit it when trying to hit Esc.

A screwdriver will work. It's even cross-platform.

Re:Well, at least the important keys still work.

[zapakh]

You pretty much defeat defeat your own argument without realizing it.

GP is comparing two broad classes of knowing how things works, and asserting that ignorance of one of them is a problem. This is not contradiction, it is drawing a distinction.

I don't need to know how my fuel injection system works, but I had better know what to do at a stop sign.

RTFM..yeah right

Like windows users know what the F1 key is..or how to help themselves. That's why they use windows to begin with.

Re:Well, at least the important keys still work.

[ffreeloader]

I don't think that pointing people to community resources is a bad thing. In the vast majority of cases, unless it's a very, very, odd forum/community if bad advice is given that advice will be promptly nullified.

I haven't used Windows in years so I'm very used to community support. I find it better than formal support because there is usually at least a couple of people on every help forum who have a real knack for explaining things to non-technical people. Also, getting more than one point of view, and more than one way of presenting information usually results in a better understanding of the problem for the noob/not_knowledgeable_user unless they have zero technical ability and then it doesn't really matter where you send them they aren't going to learn anything.

Did you use fat32--ntfs converter?

[Ilgaz]

The stock command coming with XP can convert FAT32 to NTFS in matter of minutes. I guess it would take seconds if it didn't do a chkdsk internally. Now, instead of all that trivial junk being told to user while installing Windows XP, MS could say "We introduce a new filesystem with Windows XP, it is faster, more reliable and has more features. It also makes checking disk needless." with "Convert my startup drive to NTFS" checkmark selected.

That time, users would move to NTFS and no, they would still have no clue about the filesystem they run. So, for 8 years, everyone could be running some kind of modern filesystem rather than something designed for DISKETTES.

Apple did it when they were absolutely sure journaling doesn't create problems for 99.999% of users, with couple of clever UI tricks, they made sure everyone enabled journaling. They still do the similar tricks to prevent users easily disable journaling (mostly because of FUD on www). I wasn't around on Mac scene when HFS got upgraded to HFS+ but I am sure they did similar tricks to make users move and get rid of archaic filesystems.

Advisory is not quite right

[yellowstone]

Here, let me fix it:

[T]he vulnerability relates to [...] using Internet Explorer

You're welcome.

Best way to stay trouble free on Windows? Don't use IE. Or Outlook. Or IIS.