Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Says, Don't Press the F1 Key In XP

Posted by kdawson on from the any-key-but-that-one dept.

Ian Lamont writes "Microsoft has issued a security advisory warning users not to press the F1 key in Windows XP, owing to an unpatched bug in VBScript discovered by Polish researcher Maurycy Prodeus. The security advisory says that the vulnerability relates to the way VBScript interacts with Windows Help files when using Internet Explorer, and could be triggered by a user pressing the F1 key after visiting a malicious Web site using a specially crafted dialog box."

7 of 324 comments (clear)

  1. Re:Yet another reason by 0WaitState · · Score: 3, Interesting

    How about we tax microsoft for their polluting the internet with their insecure-by-design OS installs? About $50 per install will put a dent in all the economic damage Windows causes.

    Don't press the F1 key? Jesus fucking christ. What next, don't power up the box?

    --

    Remain calm! All is well!
  2. Re:MS was concerned about how this was exposed? by martin-boundary · · Score: 3, Interesting

    Angry or not angry, the point is that disclosing security bugs directly to the vendor first minimizes harm to end users

    It does not. It minimizes potential damage to the brand, so the vendor can decide if it's worth their while to do something.

    You can't argue that "security researchers" who sell 0-day vulnerabilities on the black market are helping anybody but themselves

    Better they sell it on the black market than they use it quietly. Moreover, if there's a market, then it's worth something and "good guys" can bid, too.

  3. Re:Only MSIE users by Alien1024 · · Score: 3, Interesting

    This probably affects any help file in html format, which is displayed through the IE rendering engine. Many new applications use html help files.

  4. Microsoft Interview by dawilcox · · Score: 4, Interesting
    I interviewed with Microsoft for a development position a few weeks ago. I found that the interviewers were very arrogant. They assumed they knew all the details about my past projects. It felt like politics with them would be horrendous because everyone is showing each other up.

    Needless to say, I turned down the job offer. It doesn't surprise me how they keep making flub ups like this when the people at their company are so arrogant.

  5. Re:Yet another reason by RalphSleigh · · Score: 5, Interesting

    The same HTML rendering component I can understand, but in this case it appears a script running in a web browser instance of the component can somehow affect the help rendering instance, and that is a quality WTF.

    --
    Come as you are, do what you must, be who you will.
  6. Re:MS was concerned about how this was exposed? by dweller_below · · Score: 3, Interesting

    Angry or not angry, the point is that disclosing security bugs directly to the vendor first minimizes harm to end users - assuming, that is, the vendor feels sufficiently motivated to fix the bug.

    IN A TIMELY MANNER.

    You forgot the bit that's at the core of the disclosure debate. Virtually everybody in the security industry agrees on the principles of disclosure. All the flames are over the timing.

    In one corner, we have Microsoft. They appear to believe in full disclosure, once the disclosure will have no adverse effects on stock price or profitability.

    In another corner, we have a tiny handful of scum sucking, mercenary security researchers who believe that disclosure will happen just as soon as they get paid. And the terms of that disclosure will be whatever the purchaser wants.

    In the other corners, and carpeting the entire floor, are all the rest of the security community. They believe that full disclosure must happen in a time-frame that minimizes damage to the user community. They just can't agree on when that might be.

    This lack of a concensus has made it easy for Microsoft to define the current terms of disclosure. The result has been suppression of disclosure for longer and longer periods. The inevitable consequence is more and more '0' day exploits.

    In September 2009, SANS released an excellent State-of-the-Internet on the top cyber security threats: http://www.sans.org/top-cyber-security-risks/ One of their points was:

    "World-wide there has been a significant increase over the past three years in the number of people discovering zero-day vulnerabilities, as measured by multiple independent teams discovering the same vulnerabilities at different times. Some vulnerabilities have remained unpatched for as long as two years."

    To demonstrate this issue they enumerated the history of MS08-031:

    For example, MS08-031 (Microsoft Internet Explorer DOM Object Heap Overflow Vulnerability) was discovered independently by three researchers. The first researcher submitted remote IE 6/7 critical vulnerability on Oct 22, 2007. A second independent researcher submitted the same vulnerability on April 23, 2008. A third independent researcher submitted the same vulnerability on May 19, 2008. All three submissions outlined different approaches of auditing and finding the same vulnerability.

    What goes unstated is while 3 'responsible' researchers disclosed to Microsoft and waited and waited, unknown numbers of hackers also discovered the vulnerabilities and exploited them.

    Just this week, a dozen well managed, fully patched, WinXP (with .NET installed) computers at my institution were compromised by clicking on a major news site (http://www.ksl.com/index.php?nid=148&sid=9814436).

    Microsoft would have us believe that this is acceptable. But really, would immediate, full disclosure be any worse?

    Miles

  7. Better to just not press any keys in Windows XP by gig · · Score: 3, Interesting

    If you are still using XP at this point, who cares? Go for it. Press F1 while running FlashPlayer and Acrobat and IE6 simultaneously. If you gave a shit or had any data worth protecting you'd already be using a Mac or other Unix.