Microsoft Says, Don't Press the F1 Key In XP

Ian Lamont writes "Microsoft has issued a security advisory warning users not to press the F1 key in Windows XP, owing to an unpatched bug in VBScript discovered by Polish researcher Maurycy Prodeus. The security advisory says that the vulnerability relates to the way VBScript interacts with Windows Help files when using Internet Explorer, and could be triggered by a user pressing the F1 key after visiting a malicious Web site using a specially crafted dialog box."

Well, at least the important keys still work.

[dmgxmichael]

As long as CTRL-ALT-DELETE still works we're golden.

Re:Well, at least the important keys still work.

[gerf]

More importantly, is there a way to disable F1 in Windows? I can't tell you how many times I've accidentally hit it when trying to hit Esc.

Re:Well, at least the important keys still work.

[c++0xFF]

Just now, for the first time in my life, I pressed F1 in Windows on purpose.

Lots of interesting information is in there, and I even learned a few things (I didn't know XP had a private character editor). But I don't know anybody who uses the windows help system on purpose.

Google already provides good help for Windows.

Re:Well, at least the important keys still work.

[Monkeedude1212]

The actually funny part about this is that most users find that they hit F1 triggering help files on accident - Windows help has long such been little to no help at all, offering nothing you didn't already know. Most of the time you are meaning to press F2 to rename something.

Re:Well, at least the important keys still work.

[CannonballHead]

Uhhh, did you look at the first hit? Might want to proofread your Google links before using it to make a point...

How to Upgrade Linux to Windows XP | eHow.com
How to Upgrade Linux to Windows XP. Since Linux operating systems use different file systems than Windows, the hard drive must be formatted with either ...
www.ehow.com Computers Operating Systems Windows - Cached - Similar -

Re:Well, at least the important keys still work.

http://www.randyrants.com/sharpkeys/

This will remap any(?) keys in windows at a registry level.. including media keys and the f > 12 keys.

Re:Well, at least the important keys still work.

[iamhassi]

First time I pressed F1 on purpose was when I read I shouldn't press F1...

Re:Well, at least the important keys still work.

[CannonballHead]

I thought you were doing the typical "fixing Windows is easy, just install Linux!" joke... which appeared to fail based on the first hit, since it was how to install Windows ;)

As for FAT vs. NTFS, how many people know the difference between disc and drum brakes? I don't know if knowing about filesystems is a requirement for using a computer - or that it even should be. If you want people to switch to Linux (hey, I think it's a good idea too, most of the time :) ), requiring them to read about filesystems is going to be a problem. They don't care... and don't WANT to know, it is a waste of their time.

Which is why "defaults" are important. Even when I install Linux I'm ok with either reiserfs or ext3 (or ext4). The average user doesn't care if it's a journaled filesystem or not. The average user doesn't care about how the hard drive is partitioned. The average user probably has no idea what "partitioning" means. And why should they care anyways? I don't know half of what my mechanic talks to me about either... I'm glad he knows, but at the end of the day I just want my car to keep working and be a good car...

The problem with Windows users is not that they don't know about NTFS, FAT, partitioning, disk drives, SATA vs. PATA, or what-have-you. The problem with Windows users would be more along the lines of not being able to tell - or not caring to? - what a phishing attack is... thinking downloading and installing programs from who knows where is a good idea... thinking backups are for "important" people and they don't need to back things up - or if they do it's really just software that causes problems, not hardware [ha. I just had a 2 year old SATA drive die on me])...

If we are going to educate users, I can think of many other things I'd rather tell them, hehe. Incidentally, I usually start with explaining how exactly folders and files work. Most people could not explain how to find their "desktop" folder certainly could not explain how the folder/file hierarchy works. Once people understand that, it makes them soooo much more independent and not asking "I downloaded a picture but I can't find it, where did it go?" every other day :)

Re:Well, at least the important keys still work.

[shermo]

autohotkey.com

Open source programme that allows you do do anything with your keys. Careful though, once you start you won't stop.

Re:Well, at least the important keys still work.

[sexconker]

A well-written help file is like a well-written man file. Invaluable to anyone who wants to do anything other than the bog standard mindless shit.

A poorly-written help file is like a poorly-written man file. It causes more confusion than if there wasn't one at all.

Re:Well, at least the important keys still work.

[dissy]

More importantly, is there a way to disable F1 in Windows? I can't tell you how many times I've accidentally hit it when trying to hit Esc.

Regedit: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\HELPCTR.EXE

For the default key at the top usually named (Default)
Either delete the path to helpctr.exe so the value is blank (Value not set), or download the dummy.exe from the actual directions below and point it to that.

http://www.hydrous.net/weblog/2007/06/23/disable-f1-in-windows-exporer

Re:Well, at least the important keys still work.

[Opportunist]

Windows XP Help is great when it comes to finding out whether you have a counterfeit copy. That answer comes up at pretty much any time you could remotely press F1.

Try it yourself... uh... well, maybe not right now.

Re:Well, at least the important keys still work.

[Froboz23]

Tech Support: See this button? Don't touch it! It's the history eraser button, you fool!

User: So what'll happen?

Tech Support: That's just it. We don't know. Maybe something bad. Maybe something good. I guess we'll never know, 'cause you're going to guard it. You won't touch it, will you?

Re:Well, at least the important keys still work.

[ffreeloader]

First you say it really doesn't matter if Windows users know anything about how their system is set up and how things work, but then go on to explain how their ignorance about how things work is their greatest weakness. You pretty much defeat defeat your own argument without realizing it.

Re:Well, at least the important keys still work.

[Daniel+Dvorkin]

As for FAT vs. NTFS, how many people know the difference between disc and drum brakes? I don't know if knowing about filesystems is a requirement for using a computer - or that it even should be.

Should be? No. Is? Yes. Disc vs. drum brakes make a certain amount of difference to braking performance, but having drum brakes won't make it easier for people to steal your car, or cause it to suddenly stop working while you're driving. Modern computers are simply not comparable to modern cars. They're more like the Model T -- reliable and affordable enough to be useful to a lot of people, but still not something you want to depend on without a decent set of tools and a fair amount of mechanical knowledge.

Re:Well, at least the important keys still work.

[Saint+Stephen]

Ah, gee, I feel sorry for you guys who didn't get to play with Windows 3.0 in the Spring of '90 :-) Back then we read all the help files cover to cover, cause it was nearly the only thing you could do on the thing.

Then play some Door programs :-)

Re:Well, at least the important keys still work.

[Saint+Stephen]

In the old days you actually had to THINK to figure out how to do something on the PC. Real actual honest to god research and thinkin about something. No foolin!

Re:Well, at least the important keys still work.

[ls+-la]

More importantly, is there a way to disable F1 in Windows? I can't tell you how many times I've accidentally hit it when trying to hit Esc.

A screwdriver will work. It's even cross-platform.

Re:Well, at least the important keys still work.

[zapakh]

You pretty much defeat defeat your own argument without realizing it.

GP is comparing two broad classes of knowing how things works, and asserting that ignorance of one of them is a problem. This is not contradiction, it is drawing a distinction.

I don't need to know how my fuel injection system works, but I had better know what to do at a stop sign.

Re:Well, at least the important keys still work.

Best to change it to:

Shutdown -s -f -t 00

Will make windows much more efficient :)

Re:Well, at least the important keys still work.

[deniable]

Pry-bar or epoxy. Also, F1 is usually just an accelerator for the help function, so they can get to the problem in other ways. Most of my users go to the menu rather than using F1. The other post detailing how to disable the help center is probably more useful.

Re:Well, at least the important keys still work.

[ravenshrike]

Or you could use FF/Opera/Chrome. Really the title should be, Don't use IE in XP.

Re:Well, at least the important keys still work.

[ffreeloader]

You are missing the point. Ignorance of all things computing is why most clueless users will follow any "click this" direction from anyone. It takes a knowledgeable user to recognize the issues.

Re:Well, at least the important keys still work.

[Noodlenoggin]

If you're not sure what to do at the stop sign, just press the F1 key and a helpful window should open allowing you to find out the correct procedure. I'd suggest stopping before you press F1 however.

Re:Well, at least the important keys still work.

[biryokumaru]

I did this for my "Hibernate" key, which was brilliantly placed right above my Esc key. A little duct tape over the hole, and it has most definitely eliminated all issues.

Re:Well, at least the important keys still work.

[toastar]

More importantly, is there a way to disable F1 in Windows? I can't tell you how many times I've accidentally hit it when trying to hit Esc.

same way I got rid of the Windows key, A Flathead screwdriver.

Re:Well, at least the important keys still work.

[zapakh]

You have a good point, and here my car analogy, and those like it, break down because of the complexity of the beast.

I had forgotten about F1, instead referring people to go online to find answers to their computer questions. But I wonder if I haven't been doing the wrong thing directing people to community support when they're ill-equipped to distinguish good advice from bad.

Re:Well, at least the important keys still work.

[ffreeloader]

I don't think that pointing people to community resources is a bad thing. In the vast majority of cases, unless it's a very, very, odd forum/community if bad advice is given that advice will be promptly nullified.

I haven't used Windows in years so I'm very used to community support. I find it better than formal support because there is usually at least a couple of people on every help forum who have a real knack for explaining things to non-technical people. Also, getting more than one point of view, and more than one way of presenting information usually results in a better understanding of the problem for the noob/not_knowledgeable_user unless they have zero technical ability and then it doesn't really matter where you send them they aren't going to learn anything.

Re:Well, at least the important keys still work.

[RadioElectric]

BEST DECISION I EVER MADE.

Re:Well, at least the important keys still work.

[kimvette]

As for FAT vs. NTFS, how many people know the difference between disc and drum brakes?

About two hours' difference when it's time to do the brakes (or more if the drums have a deep ridge and the cylinders and springs are nice and clogged up with brake dust and rust). In one of my cars I can do the brakes in ~15 minutes per corner. On my GMC 1500 (now junked thank god) the rear drum brakes alone would take ~2.5 hours (the fronts weren't so bad, being disc).

Re:Well, at least the important keys still work.

[dave562]

But I don't know anybody who uses the windows help system on purpose.

The people who use F1 for help are the same people who use WindowsKey+E instead of going to My Computer. F1 for help is standard for as long as Windows has been around and it is also context specific. If you hit F1 in an application, you get help for that application. Some applications take it even further and bring up function specific help depending on what portion of the application your mouse is hovering over, or your cursor is focused on.

Re:Well, at least the important keys still work.

[ColdWetDog]

You might want to remap the caps lock key while you're at it.

Re:Well, at least the important keys still work.

[kimvette]

having drum brakes won't make it easier for people to steal your car, or cause it to suddenly stop working while you're driving

I take it you have never had a "classic" car with drum brakes all around. I assure you that drum brakes can suddenly stop working; they are far more susceptible to fade than disc brakes with vented rotors, and if you don't know to ride the brakes a bit after driving through puddles if you have drum brakes (to boil off the nice layer of water that ends up being a great lubricant on the shoes) you can end up with NO braking "power." There is good reason a lot of owners of antique R^HMustangs upgrade to front disc brakes even for non-performance builds.

Re:Well, at least the important keys still work.

[GNUALMAFUERTE]

I do that at the store, everytime I buy a new keyboard, before paying for it.

Wait, this keyboard is defective .. (Take out my keys, pop both win keys out) ... There you go, now it's ok. How much for this one? I'll take it.

So much fun ...

Re:Well, at least the important keys still work.

[CapnStank]

Problem is with Windows, not IE.

Re:Well, at least the important keys still work.

[yakumo.unr]

Presumably autohotkey has to stay running in the background?

If you just remap your keys nothing extra has to stay loaded :

http://vlaurie.com/computers2/Articles/remap-keyboard.htm

or Remapkey.exe from the MS server 2008 resource kit : http://www.microsoft.com/downloads/details.aspx?FamilyID=9D467A69-57FF-4AE7-96EE-B18C4790CFFD&displaylang=en

Re:Well, at least the important keys still work.

[Niten]

More importantly, is there a way to disable F1 in Windows?

Possibly. Press F1 and look it up in Windows Help.

Re:Well, at least the important keys still work.

[GNUALMAFUERTE]

Paging PizzaAnalogyGuy to this thread. PizzaAnalogyGuy, report to thread 10/03/02/1924237/

Re:Well, at least the important keys still work.

[mister_playboy]

pop both win keys out

Where do you buy a keyboard that still has two Windows keys? I haven't seen any since VIsta's launch.

Re:Well, at least the important keys still work.

[Pikoro]

nice ren and stimpy reference :)

Re:Well, at least the important keys still work.

[scdeimos]

Dell

Re:Well, at least the important keys still work.

[GNUALMAFUERTE]

I haven't bought a keyboard for the last 5 years. That was something that I _used_ to do. I moved to just my laptop. Desktops are overrated.

Re:Well, at least the important keys still work.

[GNUALMAFUERTE]

You mean this one?

http://www.opengroup.org/onlinepubs/9699919799/utilities/man.html

Re:Well, at least the important keys still work.

[GNUALMAFUERTE]

Oh, sorry, you said "help file SCRIPTING". Then you must be talking about Info, not man, since info supports scripting (in LISP).

And off course it's also well documented, and totally secure.

Re:Well, at least the important keys still work.

[ZosX]

woosh

Re:Well, at least the important keys still work.

[Abstrackt]

BEST DECISION I EVER MADE.

Everyone knows caps lock is cruise control for cool.

Re:Well, at least the important keys still work.

Umm, this patch would have you assume that the program HELPCTR.EXE is the culprit. Its not, its the way that HELPCTR.EXE is called that is the security problem. So, even before dummy.exe gets called, you already vunerable. bummer -Killmofasta

Re:Well, at least the important keys still work.

[SEWilco]

Oh, good, I need to remap the Any key because I never can find it.

Re:Well, at least the important keys still work.

[hairyfeet]

And how many laptops have you gone through now. Two? Three? How sad is it that computers are quickly becoming as disposable as cell phones. I wonder how many laptops are filling up the landfills right now because it would cost more to fix those proprietary hunks of plastic than they are worth. I myself have a 4 year old laptop I'm gonna have to shitcan because Dell wants more for the parts to fix it than it is worth, meanwhile my decade old Compaq desktop is still doing daily duty as a "browser in a box" for my GF's daughter, and my 9 year old HP just needs a $30 HP mini PSU and it'll be good for another decade.

Now as for TFA, this sounds like a PEBKAC problem to me. For this thing to work you have to have a website in IE that has no business throwing up Windows dialog boxes (clue one) throwing up endless annoying Windows dialog boxes that refuse to close (clue two) unless you press the exact key combination that they choose (clue three) and you...do what they say? Why not just close the damned browser? Why would you want to stay at a website that is annoying the piss out of you and then do whatever they tell you to? This is one of those times where basic common sense ought to tell you not to do it, shouldn't it? Or is basic common sense in that short of a supply? Damn just typing that made be depressed. You would think working PC repair I would accept the answer to that question, but dammit, I just keeping hoping that one day basic common sense will make a comeback. it could happen!

Re:Well, at least the important keys still work.

[keeboo]

Now as for TFA, this sounds like a PEBKAC problem to me.

What's a "ryevkas"?

(ok, nobody won't get the joke)

Re:Well, at least the important keys still work.

[GNUALMAFUERTE]

I hope this answers your question as to how many laptops I've been through the last years. Yes, you can laugh.

http://www.youtube.com/watch?v=BECu44Z_zM8

That was a few months ago. The one I bought after this happened is the third laptop in 2 years. Yes, I'm clumsy.

Re:Well, at least the important keys still work.

[CannonballHead]

I didn't say it doesn't matter if they don't know anything about how their system is set up. I said they didn't have to know if they are using FAT or NTFS. Tell me... let's say they have a FAT32 based installation for some strange reason. What difference to online security does that make? What practical difference does it make? Sure, if they want to CHANGE their system it might make a difference, but most people pay people to do that, not do it themselves. They don't have the time to learn how and they don't have the time to do it. That's why IT exists.

Re:Well, at least the important keys still work.

[Allnighterking]

Fry's used to sell them.... (seriously)

Re:Well, at least the important keys still work.

[ravenshrike]

? You have FF set up so that it pulls up the Windows Help Center(The vulnerability for this particular attack) when pressing F1? Cause mine directs me to a Firefox help page without accessing the Help Center at all. I assume it's something similar in Opera and Chrome. If that isn't accessed, nothing happens.

Re:Well, at least the important keys still work.

[smellsofbikes]

My old Jeep had three full stops per 10 minute period because the drum brakes were so bad. It was unpleasant to drive in town, but I got very good at shift-braking. People who have only ever driven disc brakes also don't know about not setting the parking brake after a long downhill drive, where the drum will distort because it's still so hot it's partly plastic, leaving you with even worse (and much, much more unpleasant-feeling) brakes forever afterwards or until you replace the entire drum.

Moving from drums to discs was way better than moving from carbs to fuel injection, or even from solid lifters to hydraulic lifters. Old cars suck.

Re:Well, at least the important keys still work.

[smellsofbikes]

blast, replied to the wrong comment. Sorry.

Re:Well, at least the important keys still work.

[blackraven14250]

The sound of the caps lock key's new location flying away?

Re:Well, at least the important keys still work.

[zkp]

Ironically, first hit on bing.com is linux-upgrade.com | Welcome to the Linux and open source upgrade web site. Are you tired of always having to update your anti-virus software? If you are frustrated with running Microsoft Windows and ...

Re:Well, at least the important keys still work.

[fluffy99]

or download the dummy.exe from the actual directions below and point it to that.

Right, like I'm dumb enough to grab an unknown executable from some website and tie it to my F1 key. You must have me mistaken as someone from the other topic about clueless admins who will do anything an official email tells them to.

Re:Well, at least the important keys still work.

[somegeekynick]

Check the Windows documentation -- press F1 for help.

Re:Well, at least the important keys still work.

[hairyfeet]

So there are TWO laptops rotting in a landfill, and that is just for a two year period. Damn, that is depressing. How sad that we as a society have just accepted everything becoming disposable, even things that shouldn't be like PCs.

Doesn't that bother you? even a little? I'm not a greenie but this amount of waste is just mind blowing to me. you are far from alone, with the average person from what I've seen barely getting two years before a laptop is headed for a dump. If you refuse to let go of the laptop, at least get a toughbook, or some other machine designed to last. It is just shameful throwing so much away, but as I myself found out thanks to those greedy bastard corporations a part that would cost you less than $40 on a desktop can easily cost you three to four times that.

It has gotten to the point that if a customer comes in with a broken laptop I tell them not to bother, as it just isn't economical to fix them anymore. How damned sad that so many that would need so little to fix ends up just more garbage littering our landscapes.

Re:Well, at least the important keys still work.

[Moghedien]

Hang on, I'll get Cyril Azbuka on the horn! He'll know!

Re:Well, at least the important keys still work.

[Ihmhi]

Welp, a long time ago I disabled the very annoying Insert Key on my computer with a simple hardware fix.

1) Get a flathead screwdriver.

2) Place screwdriver underneath problem key.

3) Place left hand approximately 1 foot (~0.3 meters) above problem key.

4) Use leverage to pop key out of keyboard.

5) Your left hand will block the deadly flying plastic. Be careful not to stab yourself with the screwdriver! Better to have to search around for a plastic key than dig a flathead screwdriver out of your hand.

Re:Well, at least the important keys still work.

[AmiMoJo]

Today was the best day ever in the IT department.

Re:Well, at least the important keys still work.

[mooterSkooter]

Tell me about it.

Every so often I have to go to the local tip to throw away big items that won't fit in the bin (trashcan) and I am AMAZED at the amount of computer hardware that is piled up there. I used to retrieve the odd machine that looked useable and 9 times out of 10, the machine will boot up (albiet slowly) into Windows XP. A simple install of a lite linux distro and bam! - A perfectly useable computer.

It seems people (morons?) throw away XP machine when they "slow down" as they are "too old".

It completely annoys the god-damn hell out of me.

Oh, the last time I tried to take a machine - I was shouted at and told "You're not allowed to take old computers anymore!!!" - they even have a freakin camera checking for those pesky re-cyclers!

And as for the 'broken' laptops - give them me! I'll install debian on it, hook it up to an LCD and use it has a nice 'n quiet MythTV frontend!

Honestly - some people need shooting.

Re:Well, at least the important keys still work.

[sproketboy]

Nah FORMAT C: would be better.

Re:Well, at least the important keys still work.

[sproketboy]

Neat!. Where's the facking save option?

Re:Well, at least the important keys still work.

[ffreeloader]

I didn't say it doesn't matter if they don't know anything about how their system is set up. I said they didn't have to know if they are using FAT or NTFS. Tell me... let's say they have a FAT32 based installation for some strange reason. What difference to online security does that make? What practical difference does it make? Sure, if they want to CHANGE their system it might make a difference, but most people pay people to do that, not do it themselves. They don't have the time to learn how and they don't have the time to do it. That's why IT exists.

What difference does FAT vs NTFS have on security, online or otherwise? Are you seriously asking me that? If so, you are demonstrating exactly why the second half of your post defeated the first half of your post. FAT allows anyone to write to any file regardless of its location. IOW's there are NO file security/permission levels in FAT. If you can't see the security implications in that, well, I don't know what to tell you.

I'll do you another favor and point out a major weakness with Windows implementation of NTFS with regards to security. The NTFS default in all Windows OSes is to automatically tie read and execute permissions together. You can't place a file on a Windows system with an NTFS formatted hard drive without it being given execute permissions. I'll let you figure out why that is a bad thing. I'll also tell you that none of file systems used in Linux does that.

Re:Well, at least the important keys still work.

[thejynxed]

Any keyboard bearing the Microsoft brand comes with two Windows keys.

Re:Well, at least the important keys still work.

[dissy]

Right, like I'm dumb enough to grab an unknown executable from some website and tie it to my F1 key. You must have me mistaken as someone from the other topic about clueless admins who will do anything an official email tells them to.

That is why I provided an alternative. An alternative that I proposed FIRST.

But feel free to totally ignore that and bitch about the rest of my answer

Re:Well, at least the important keys still work.

[Aklyon]

No, it should be 'Don't Use IE.'

Re:Well, at least the important keys still work.

[pnewhook]

And how many laptops have you gone through now. Two? Three? How sad is it that computers are quickly becoming as disposable as cell phones. I wonder how many laptops are filling up the landfills right now because it would cost more to fix those proprietary hunks of plastic than they are worth.

In several decades of computer ownership I have NEVER had a computer just break. The only reason I've ever upgraded is in the cases wanted to do something that exceeded the computational abilities of the old computer. The one time I bought a desktop that was upgradeable, the standards changed so I couldn't upgrade it anyway (except for the case I guess).

So in that case, laptops cause no more landfill problems than desktops - less in fact because they are smaller. I've also switched to laptops - they are far more convenient and flexible.

Now as for TFA, this sounds like a PEBKAC problem to me. For this thing to work you have to have a website in IE that has no business throwing up Windows dialog boxes...

I think the real problem is that people keep running IE which is basically a portal for viruses into your computer.

Re:Well, at least the important keys still work.

[hey!]

Well, if you don't want to remap the key in software, glue a small block of wood to the top of the Esc key. Then lay a strip of tongue depressor so the key extends past the left edge of the keyboard. You can also overhang the right edge of F1 a bit if you want.

Seriously, part of being a geek is realizing that you don't have to accept the world around you *as is* ... at least not when it comes to *made things*.

Re:Well, at least the important keys still work.

[GNUALMAFUERTE]

I don't throw them away.

It's just not economical to fix laptops. And it sucks having to wait for replacement parts.

Of the 3 laptops I mentioned, the first one got the screen broken, so It got transformed into a file server (It's got an internal 250 GB Drive plus another 250GB Disk connected where the cd drive used to be). The second laptop's motherboard died. So, the one I have now is a compatible model Toshiba. I reused the battery from the old one as backup battery, and all the RAM it had (I bought a base model with only 2 gb). I reused the PSU. The 250 GB drive connected through the SATA used for the cd drive in the fileserver laptop came out of this machine too. The rest is there waiting to be used as spare parts.
Throwing away computers is stupid. But fixing broken laptops is stupid too. Reuse them as something else and get a new one.

Re:Well, at least the important keys still work.

[fluffy99]

I wasn't bitching about you, but rather the hydrous weblog actually expecting people to download the aptly named dummy.exe.

Re:Well, at least the important keys still work.

[CannonballHead]

I know there are inherent differences in NTFS and FAT filesystem security locally. That makes little difference when you run as administrator, of course. And I specifically said online security... if I run a virus or trojan as administrator it makes little difference that I'm using FAT...

Anyways. Moot point. Main idea is that's Microsoft's job to fix that. The user doesn't need to know that. The user needs to know about online security, recognizing phishing, etc... that's more what they'll run into than FAT vs. NTFS...

Re:Well, at least the important keys still work.

[Michael.LTN]

Ditto for Num Lock.

Re:Well, at least the important keys still work.

[Hamoohead]

I'm still trying to find reverse.

Re:Well, at least the important keys still work.

[ffreeloader]

Of course it makes a difference to online security whether or not you run FAT as your file system. Using FAT means a cracker can modify/execute any file on your system. They would not be limited to having only those file permissions that you, as a normal user, would have if the system used NTFS rather than FAT.

In effect, if you're running FAT you are giving anyone Administrator permissions to system files whether you are running as Administrator or not. If you think that is irrelevant to system security I'm at a loss to how get you to understand the issue. That's like saying there is no way Win2K or XP were/are more secure than Win95/98. The fact that you may log into your system as Administrator on Win2K or XP is irrelevant to the fact that FAT is less secure than NTFS. If it wasn't for the increased security in NTFS vs FAT having an Administrator account wouldn't have been necessary nor would it have mattered whether you run as Administrator or a limited account online as far as security goes.

I'll also disagree with you about what a user needs to know to be secure online. If most people don't understand WHY what they are doing is going to cause them problems and what can happen they are very unlikely to change their behavior. Just telling someone if you do A, B may happen isn't very convincing or motivating.

I'm very unlikely to change my behavior just because someone tells me to. I'm much more likely to change if someone can help me understand the causes and effects that my behavior is liable to create, whether the causes and effects are positive or negative. I don't believe I'm all that different from Joe Blow in that respect just because I understand technical issues better than he does. Even a child is much more likely to change his longterm behavior if you can get him to understand why doing some things differently will be to his advantage

Re:Well, at least the important keys still work.

[hairyfeet]

My point is the desktops will continue to work, and can be passed down, while the laptops fall apart. Examples-my nearly 12 year old 733MHz is STILL working as a "browser in a box" for my GF's daughter, my decade old HP is waiting for a $30 funky HP mini PSU and then it'll be good for another decade. My barely 4 year old Dell laptop, on the other hand, is gonna have to be shitcanned because it refuses to boot with a broken ribbon connection to the screen, and for that and a replacement hinge Dell wants more than it is worth.

I have PCs that are 6, 7, sometimes even a decade old cross my desk. For basics like bookkeeping and web surfing they are just fine. The oldest laptop I've had cross my desk is three years and I had to tell the owner to shitcan it because the parts were too expensive. Thanks to everything in laptop land being so proprietary you can't use hardly any parts from one to another, and the manufacturers buttrape you on replacements. They WANT it to go into the dumpster, so they can sell you another one, and the vast majority are designed to be "thin and light" to the point of being flimsy and easily broken. And frankly I find it obscene.

Re:Well, at least the important keys still work.

[pnewhook]

Personally I've never had a problem with laptops. I have a 14 year old IBM Thinkpad that still works perfectly. No repairs, no failures of any kind.

Contrast that to my old desktop that had the floppy drive catch on fire (but it still worked after so I never bothered fixing it).

Re:Well, at least the important keys still work.

[hairyfeet]

Yeah, but you're talking IBM. There is a reason why old "Big Blue" has a killer rep, and a good portion of that is how well they design and build their machines. I'm talking about the Dells, the HPs, the Compaqs, the EMachines, the literally millions of $350-$700 laptops sold every year. I have bought up parts cheap after other repair shops have gone broke trying to work on the things. They are so damned proprietary that you can have the same make and model and open it up and find completely different and incompatible parts between revs.

what we need is standards, to where parts from a broken Compaq can fit a Dell, just as we have on desktops, but since the hardware manufacturers want these machines to end up in a dumpster, since having a laptop die every two years means the customers have to go out and by new ones, I just don't see that happening. And it is just sad to me how many machines are ending up in landfills now that could have been fixed with a little bit of standardization. When you figure out the amount of resources needed to create, ship, and finally dispose of all those millions it is truly obscene.

Re:Well, at least the important keys still work.

[pnewhook]

I don't think standards have anything to do with it - it's purely quality of parts. The reason Thinkpads were the most expensive at the time was they used quality components, and you had to pay a premium for that. Most people aren't willing to spend twice what they can get a discount laptop for, and ignore the long term cost of ownership.

Dell is a perfect example. Right now I have a Dell Precision M4400. Best laptop I've ever owned. However the Dell Insiron are half the price but complete crap. At work our IS department will refuse a request to get any Inpiron due to short lifespan. No problem with Precision line though. This applies to both desktop and laptop.

However I don't wish this to be mandated - if people want to buy crap let them. The last thing we need is more government interference through useless standards.

Re:Well, at least the important keys still work.

[hairyfeet]

Actually I would say just the opposite, that standardization has EVERYTHING to do with it. I'll give an example. I would do occasional temp work for one of those places that went under. Jerome the boss hands me 5 broken dell Latitudes and tells me to see if I can make at least ONE good one out of them. Just one. They were all roughly the same year, probably no more than 8 or 9 months apart. What did I find? Not a single damned part other than RAM and HDD would interchange. NONE. Hinges? Nope. hell even most of the ribbon connectors were either too short or too long. The machine were nothing but proprietary in a box. all ended up shitcanned.

And THAT dear sir, is the problem. Give me 5 Dell desktops, I don't care how cheap they are, I can usually build at least 3 good ones out of them, because everything on desktops is standard. MATX boards, SATA connections, molex, it is all bog standard. I bet I could give you 100 laptops of various makes and model from different manufacturers you would be lucky if you could make 3 working machines out of that 100.

And personally? I think it is 100% on purpose. They don't care how many of their machines end up in landfills, they WANT them to fall apart, and not be fixable, so you have to go out and buy more. every damned day more and more are just dumped in landfills, while desktops can easily be refitted and find new life. Hell my first gaming desktop, a 100MHz Pentium with a 1Gb HDD? It is STILL working 5 days a week at a local lumber company running DOS 3 so it can act as a controller for an old ISA card that runs a custom column making lathe. While all my PCs can't say the same, as I have fried a few mobos over the years, the laptop situation has just gotten ridiculous. The non standard parts mean any OEM can (and do) just ass rape you for even the tiniest piece of plastic, and with no competition because there are no standards to go by they get away with it. And I still say that is just obscene.

Re:Well, at least the important keys still work.

[pnewhook]

If you buy crap, expect crap. If you want something long lasting, then buy quality. But you can't force people to buy machines with expensive components. Those 5 broken Latitudes would not be broken if the owners had bought Precision or Thinkpad instead. The would still be working. Swapping parts to try and cobble something together would be pointless.

So what is your solution? Create a universal standard and outlaw anything that doesn't fit? Standards aren't the problem - patents are, preventing another company from making compatible parts.

Actually for standards, Compaq is the worst offender. Even the timing is different. Every other computer on the planet uses a 10ms timer for event syncronization and task switching. Compaqs use 15ms. So everything has to be written special for running on Compaqs. Not sure about XP and later but you couldn't even install OEM NT onto a Compaq - install would fail telling you you had to have a Compaq version. Compaq is the worst piece of crap on the planet.

Re:Well, at least the important keys still work.

[treeves]

For the first time in a while, I don't have any mod points left today. Someone please mod parent up Informative (not Funny)!

F1rst

F1rst

Re:F1rst

[sexconker]

Fa1l.

Re:F1rst

[Puppet+Master]

F1rst P0st

Fixed that for ya.

Yet another reason

[Dracos]

This is yet another reason why MS' idea of a tax to deal with malware tax is stupid.

Re:Yet another reason

[0WaitState]

How about we tax microsoft for their polluting the internet with their insecure-by-design OS installs? About $50 per install will put a dent in all the economic damage Windows causes.

Don't press the F1 key? Jesus fucking christ. What next, don't power up the box?

Re:Yet another reason

This is yet another reason why MS' idea of a tax to deal with malware tax is stupid.

It's almost amusing that a Web browser is so tightly integrated with the operating system that scripts run by it can influence core system functions without actually rooting the machine. I guess this is what happens when you ignore decades of computer security history and discard the principle of least-privilege. Hopefully Windows 7 (and Vista) is not defective enough to allow a userspace application to screw around with a built-in OS function like help files.

Look, if we're honest, the only reason why IE is so tightly integrated with the OS in the first place is because Microsoft wanted to abuse its desktop OS monopoly by using it to dominate the browser market. If not for that, IE would be a standalone browser and would be separate from any built-in HTML rendering that's part of the core Windows system, like help files in this case. This is one reason why I use Linux: Microsoft obviously cares about its marketshare more than my security, and I cannot in good conscience use my money to support a company with such backwards priorities. I'm sure someone will chime in with talk about how useful Windows is, and I won't argue (much) with that.

This is really a moral issue. Anyone with decent principles wouldn't want to reward a company with such questionable business practices, not even if they made the finest software available. I'm sure the rest of you who don't have such principles will have a million excuses for why you continue to support Microsoft with your wallets, and that's fine. Every dishonest organization has its useful idiots without which it could not continue existing.

Re:Yet another reason

[Fnord666]

Don't press the F1 key? Jesus fucking christ. What next, don't power up the box?

Actually if you look at security advisory number ....

Re:Yet another reason

[Opportunist]

No, actually I still think it's a great idea. I would just paperclip to it that the actual culprit gets to pay when the shit hits the fan. If I'm to blame, I pay. If MS is to blame, they pay.

Just tell me early enough so I can make sure to dump all MS and Adobe stock I might have.

Re:Yet another reason

[Opportunist]

What next, don't power up the box?

That's actually a pretty good way to secure a Windows box. That or forgetting a Linux live CD in the drive (and have the system boot from CD first).

Re:Yet another reason

[shutdown+-p+now]

You do realize that KDE, for example, also uses the same HTML component - KHTML - for both its standalone browser, and help system (and many other things)? I'd expect OS X to do the same with WebKit. Gnome is different, but mainly because of the mess they made with GtkHTML vs Gecko vs WebKit; the long-term plan, as I understand, is still to migrate to WebKit for everything.

It's also purely a matter of practicality - I mean, why would you have two distinct HTML renderers?

Re:Yet another reason

[Froboz23]

I don't see what the big deal is. Windows is a perfectly secure operating system as long as you don't access any external media or connect to the internet.

(Coming from someone who just spent 10 hours removing the Internet Security 2010 trojan malware from his wife's computer.)

Re:Yet another reason

[RalphSleigh]

The same HTML rendering component I can understand, but in this case it appears a script running in a web browser instance of the component can somehow affect the help rendering instance, and that is a quality WTF.

Re:Yet another reason

[adtifyj]

You do realise that KDE and Gnome are not operating systems? "OS X" is also not an operating system in the typical sense of the word; it has Darwin under the covers, responsible for managing all the hardware and important functions like permissions, ensuring that the core system can't be hosed when an rogue application is somehow allowed to be run as a user.

It is comforting to know that if something goes wrong on Linux or OS X (or similar), that the problem is almost always limited to only a single 'user' account, and problems which allow escalation of privilege are treated as critical (i.e. not left unpatched for four weeks like this F1 bug).

Re:Yet another reason

[shutdown+-p+now]

Quality-wise it's clearly a defect, but GP was ranting about it from some moral "evil monopoly" perspective.

Re:Yet another reason

[dave562]

That seems to be a popular one these days. What preventative measures did you have in place to mitigate the infection vector? I haven't dealt with malware since I stopped working one people's home computers. My co-worker still does it for cash on the side and he's been dealing with that Internet Security 2010 a lot.

Given that you went to the trouble of rebuilding the whole thing, and I hope that after 10 hours, you really just formatted and reinstalled the apps. Why don't you image it, and have your wife save her files to a NAS? That way if it happens again, you can just load the image.

Re:Yet another reason

[mqduck]

So your turning amish right?

What about his turning Amish? Perhaps you meant to ask if his turning Amish (which is news to me) is right, and just left out an 'is': "So IS your turning Amish right?"

In which case, I'd consider it his personal right to choose to do so, but would suggest that turning hardcore GNU would be a bit easier.

Re:Yet another reason

[shutdown+-p+now]

You do realise that KDE and Gnome are not operating systems? "OS X" is also not an operating system in the typical sense of the word; it has Darwin [wikipedia.org] under the covers, responsible for managing all the hardware and important functions like permissions, ensuring that the core system can't be hosed when an rogue application is somehow allowed to be run as a user.

Guess what? Windows works in exact same way. There's the kernel there, then a set of userland APIs on top of then, then the UI layer, and finally the actual DE. Just because they are shipped in a single box, and aren't explicitly marked as separate, and given funny-sounding names, doesn't mean they aren't there.

Do you seriously think that NT kernel somehow uses IE under covers?

It is comforting to know that if something goes wrong on Linux or OS X (or similar), that the problem is almost always limited to only a single 'user' account

It depends on your definition of "something goes wrong". A privilege escalation exploit has the same problems on any OS, and without one you can't break the system on modern Windows versions (speaking of which, note how Vista/7 aren't vulnerable in this case), either - user account security is not fundamentally different in NT compared to Unix.

Oh, and this isn't what is usually understood by a privilege escalation vulnerability - it doesn't give you root or anything. It's rather a sandbox breakage - scripts which should be executing in a browser sandbox "leak out", and run with all privileges of the user interacting with the machine.

Re:Yet another reason

[steveha]

why would you have two distinct HTML renderers?

But the problem isn't in HTML. The problem is this: a web site can pass a WinHelp (.HLP) file to Internet Explorer, and Internet Explorer will trust it. WinHelp is a binary format, and somebody found a buffer overrun attack or something similar that allows for arbitrary code execution.

WinHelp was state-of-the-art in Windows 3.0, but its day is long past. It's a legacy format. The reason this attack doesn't work in Windows Vista or Windows 7 is that Microsoft had finally stopped supporting it.

This issue is roughly similar to having a JPEG decoder that is vulnerable to badly-formed JPEG images that contain exploit code. However, image formats do kind of need to be binary; given that we have both HTML and XML, there is really no need for a binary help file format anymore.

steveha

Re:Yet another reason

[Bigjeff5]

Look, if we're completely full of shit, the only reason why IE is so tightly integrated with the OS in the first place is because Microsoft wanted to abuse its desktop OS monopoly by using it to dominate the browser market.

There, fixed that for you.

IE was originally just an extension of Windows Explorer to browse the web and read HTML. It was literally a small app that pointed to a few new dlls and a whole lot of dlls that were already there. Explorer already processed files for Windows, and HTML was basically just a text file that needed processing. The simple solution? Add a dll and an app to call it, and let Explorer do the rest. Remember IE was born when the internet was practically nothing, almost everyone used AOL or Prodigy or some other service, and they all had their own browsers. IE was more of an "Eh, it could be useful" add on for Windows. As such it didn't warrant investing a lot of time and effort into a separate app, especially when most of the functionality needed was already there.

The reason IE is integrated so tightly with the OS is because it is an offshoot of the OS, that's how it came about. It's like pointing to a branch and saying "Lets be honest, the only reason the branch is so tightly integrated into the tree in the first place is because the tree wanted to dominate the branch market. If not for that, the branch would be a standalone standalone plant and would be separate from any built-in circulatory system that's part of the core tree, like the roots." Any dumbass can see the branch came FROM the tree, and is used extensively by the tree to improve its ability to live.

Browsers that started as completely separate entities obviously don't have this problem, but Internet Explorer did not start this way. On the one hand it has helped them gain dominance in the browser market (and really, had it been a separate program they would still have the dominance, integration has nothing to do with that, inclusion with the OS does). On the other hand, being so tightly bound into core OS functions has led to a lot of security issues over the years, which has hurt their position in the browser market.

Re:Yet another reason

[blackraven14250]

Evil monopolies don't care about quality if the cost to fix is greater than the benefit of not fixing. Since Microsoft has been doing exactly this for a long time, it kinda fits with the evil monopoly perspective.

Re:Yet another reason

[L4t3r4lu5]

Why? Boot Ubuntu from a LiveCD, pop in a USB drive, backup data, reinstall Windows.

Oblig. XKCD

Re:Yet another reason

[jonaskoelker]

"So IS your turning Amish right?"

Or in terms of car analogies, when you drive along and you can either turn 90 degrees right, along a road near to you, or 45 degrees right on a road a bit further away in the same crossing, if you turn to the 45 degree angle far road, your turning is "Amish right". Sorta' right, but not quite...

Re:Yet another reason

[Froboz23]

It's been about 4 years since I've had any of my computers hit with a virus. My wife's system was reasonably protected with Windows XP running service pack 3 and fully updated, plus Avast antivirus with an up-to-date database, and browsing with Firefox version 3.5.8. But somehow it still got infected.

It had been a while since I backed up any data off her system, so I didn't just nuke the disk. I cleaned it off by removing the disk from the laptop and running it as an external USB disk on a sandbox system. After scrubbing the disk clean of a plethora of rootkits, viruses, and trogans, I copied the data (pix, docs, game saves) over to another disk. The virus had damaged the OS so severely that I just reinstalled from scratch. This was an Acer laptop that has the XP image sitting on a hidden partition, so the reinstall was surprisingly easy.

The reason it took 10 hours is because I was out of practice, and tried several other unsuccessful methods to remove the virus. In the future, I won't even bother booting a system that I know is infected. It's much easier to clean when you don't boot to it.

This virus was particularly... virulent. It disabled the task manager, the command prompt, and regedit, among other things. It was also present when booting in safe mode. I don't know how non-technical people deal with all this, especially since this system was better protected than probably 90% of the Windows boxes out there.

Re:Yet another reason

[Robert+Zenz]

Somebody (here or on SuperUser) actually did put a Linux-Live-CD into the drive, and glue the drive shut...his mother didn't have any problems since then. ;)

Re:Yet another reason

[Robert+Zenz]

I thought powering up Sony devices would be save, but you have to make a blood test for DNA clarification first. http://machall.com/view.php?date=2002-08-21

Re:Yet another reason

Interesting theory. Entirely wrong, of course, since IE actually started out as Spyglass Mosaic, which MS licensed, renamed, and started selling. (The agreement stated that Spyglass received royalties for every copy of IE that Microsoft sold, prompting MS to start giving it away free. Worked out for us, not so much for Spyglass.)

Re:Yet another reason

[Attila+Dimedici]

Unless it has changed significantly since the last time I cleaned up that particular virus, your wife's computer got infected because she navigated to a compromised website that told her she was infected and she clicked "ok" (or maybe they have inserted a click box that says something like "cancel", but reads to Windows as "ok"), the only way I have found to get out of that situation without installing the virus is to use Task Manager to close your browser. I have come across several websites that are otherwise perfectly legitimate (not porn, and I know they are run by reputable people) that have been hacked to do this.

Re:Yet another reason

[alcourt]

First rule of computer security, don't have a computer.

Second rule of computer security, if you do have a computer, don't turn it on.

(It goes on from there.)

F1!

[fm6]

F1!
I need somebody!
F1!
Not just anybody!
F1!
You know I need someone!
F1!

Re:F1!

[martin-boundary]

If you start me up
If you start me up I'll never F1
If you start me up
If you start me up I'll never F1

Re:F1!

[Chris+Mattern]

"You make a grown man cry"

So true :-)

Re:F1!

[Oscar_Wilde]

On a mac you can actually press the help key. It's over near the home key, IIRC.

I wonder if it could be made to actually insert the word help into text fields, it's certainly never used for any useful help information.

Re:F1!

[Dumnezeu]

I want some of your pot.

Re:F1!

[Moghedien]

Not on my Mac it's not, but you're right, it's near the home key on some (older?) Mac keyboards. I have 'Fn' instead of Help on my keyboard, use it all the time to control/mute the volume.

I sometimes...

[neptunusmaris]

... try to F1 (if you know what I mean) ..he he.... he

Only MSIE users

[icebike]

Any XP user still using Internet explorer probably hasn't a clue that F1 does anything at all.

Re:Only MSIE users

[Alien1024]

This probably affects any help file in html format, which is displayed through the IE rendering engine. Many new applications use html help files.

Re:Only MSIE users

[Ogive17]

My office alone has about 150 computers running XP and IE6... not by choice...

Re:Only MSIE users

[icebike]

Really? What could possibly tie you to IE6? Even Microsoft has STRONGLY recommended you move on.

Re:Only MSIE users

[Barryke]

Over here - some menusystem in Sharepoint 2007 won't work to their fullest when using anything other than IE6.
I figure its some deprecated implementation that survived Sharepoint upgrades.

Or as Buzz Out Loud says...

[Rammed+Earth]

F1 is now FU! (originally from BOL chatroom)

MS was concerned about how this was exposed?

[Meshach]

From TFA:

Microsoft is concerned that this new report of a vulnerability was not responsibly disclosed, potentially putting computer users at risk. We continue to encourage responsible disclosure of vulnerabilities. We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone's best interests. This practice helps to ensure that customers receive comprehensive, high-quality updates for security vulnerabilities without exposure to malicious attackers while the update is being developed.

I find the idea that Microsoft is angry at the people who found a problem in Microsoft software not telling Microsoft about it hilarious.

Re:MS was concerned about how this was exposed?

[timeOday]

Angry or not angry, the point is that disclosing security bugs directly to the vendor first minimizes harm to end users - assuming, that is, the vendor feels sufficiently motivated to fix the bug. You can't argue that "security researchers" who sell 0-day vulnerabilities on the black market are helping anybody but themselves (not that Prodeus fits this description).

Re:MS was concerned about how this was exposed?

[martin-boundary]

Angry or not angry, the point is that disclosing security bugs directly to the vendor first minimizes harm to end users

It does not. It minimizes potential damage to the brand, so the vendor can decide if it's worth their while to do something.

You can't argue that "security researchers" who sell 0-day vulnerabilities on the black market are helping anybody but themselves

Better they sell it on the black market than they use it quietly. Moreover, if there's a market, then it's worth something and "good guys" can bid, too.

Re:MS was concerned about how this was exposed?

[causality]

Angry or not angry, the point is that disclosing security bugs directly to the vendor first minimizes harm to end users - assuming, that is, the vendor feels sufficiently motivated to fix the bug. You can't argue that "security researchers" who sell 0-day vulnerabilities on the black market are helping anybody but themselves (not that Prodeus fits this description).

I frequently hear this type of reasoning. It should be listed as a known/cataloged talking point so we can all absorb it once and move on, instead of seeing it rehashed every time this sort of discussion comes up. Sorry but old and well-worn arguments aren't contributing much. They don't have much power to convince anyone who doesn't already subscribe to that viewpoint.

What I don't hear so much about is the incentive provided by full public disclosure. If you know that security vulnerabilities will be disclosed to the public, that this will result in security problems for your customers, that it will cause public humiliation for your company, is this not a strong incentive to secure your software in the first place? Confidential disclosure to the vendor only seems like it lets them off the hook a bit too easily. I'd normally be slow to view it that way, but Microsoft has a long history of such problems despite having tremendous resources it could dedicate to proactively eliminating them. They have the expertise, they have the money, they have the ability; what they lack is the will. There's simply no excuse for allowing a browser to influence bulilt-in OS functions. I view this more like negligence on Microsoft's part and less like an unforeseeable event that could have happened to any vendor.

As far as causing the least harm to the end users, should we be concerned about this in the long run? In the short term this can be quite unpleasant, and I don't enjoy the idea that someone who just wants to get their work done might have problems because of something beyond their immediate control. But it's not entirely beyond their control. Microsoft could not possibly exist were it not for the users who purchase its products.

When its products malfunction in preventable ways, they make the Internet a worse palce for everyone. I may run a relatively secure *nix machine, but I can still receive spam e-mail delivered by compromised Windows machines. So can everyone else. Since the situation could not possibly exist if not for Microsoft's users, is it really an injustice that they catch some flak when the entity they keep financially supporting fails to do its job? If they dislike this, should they not be a bit more careful about how they vote with their wallets and for whom they vote? I know the victim mentality is popular these days, but if you either know or could have known what you're dealing with, and continue to behave as though you do not and cannot know, should you cry fowl when there are negative consequences?

Microsoft has a long history of problems like this. Anyone who deals with them and doesn't know that has simply failed to do their homework. The real "accomplishment" of Microsoft is that they, through their widespread presence, have convinced the general public that exploits, malware, and other security problems are a normal part of operating a computer. I'm not claiming that Microsoft's products are without merit; if they were, even the non-technical masses would not use them. I am merely skeptical of any notion that their positive contributions to this industry have outweighed their business practices and their negative contributions to this industry.

Re:MS was concerned about how this was exposed?

[Aqualung812]

I think the people that can discover a security bug like this can take a guess at how long it will take Microsoft to fix. It is totally the moral middle ground to say to Microsoft: "Here is the bug in your software I found. I will publicly release the details of this in (days assumed to fix)+30 days so that people can protect themselves. Please publish your patch before this date. Thank you."

Re:MS was concerned about how this was exposed?

[causality]

Sheesh, blah blah blah. What your parent said isn't a talking point. His point was much better than yours in less words. All a researcher has to do is notify MS. Give them a reasonable amount of time that you clearly specify(say a month) and then publicly disclose it. Your disdain of MS shouldn't erode your common sense.

You have failed to address the issue I raised.

If its users were more discriminating and more willing to expect quality, I would have no reason to disdain MS. You act like any disdain on my part is an opinion or a matter of taste, and not like MS has soundly earned it.

Microsoft is a business. That means they will tend to do whatever makes them the most profit. If selling garbage makes profit for them, then they will sell garbage. If no one is willing to buy garbage, then they will be forced to sell quality. Therefore, Microsoft does whatever its paying customers are willing to put up with.

The point I raise, to restate it for you, is that this multibillion-dollar company with many highly skilled employees has both the expertise and the resources to design their systems in such a way that they do not suffer such vulnerabilities. They don't do this because they can profit without doing this; therefore, why would they go to the trouble when more effort means more expense? They can profit without doing this because their paying customers will tolerate insecure products. They think malware and other system compromises are an inherent aspect of owning a computer. If people who hold this false belief and use their money to support a vendor which caters to this false belief suffer because of this false belief, why should that trouble the rest of us? Are they not reaping what they sow?

Those of you who believe in confidential, discreet disclosure are implying that the effects on the customers should trouble the rest of us. I'm willing to entertain the idea, but to do that I need someone to tell me why Microsoft's customers are not merely reaping what they have sown. You have not addressed this. If you would like to, I'm all ears, but attempting to tell me that Microsoft's security history is irrelevant, that it's unfair to consider its business practices and priorities, or that I should ignore the fact that they have both the knowledge and the resources to deliver more secure products will never work with me. Please save that and your "blah blah blah" handwaving for the pushovers who are impressed by your assertions. As for me, I deal in facts.

Again, if you would like to actually address any of the issues I have raised, I'm all ears. The fact that you dislike my opinions has been noted, but does not constitute a worthy response.

Re:MS was concerned about how this was exposed?

[dave562]

They think malware and other system compromises are an inherent aspect of owning a computer.

They are. In the 1990s, despite "Windows boxes in the internet" (if you had a SLIP connection), all of the exploits that I saw were targetting SunOS and BSD. They were going after Apache. When Aleph One was writing about buffer overflows, do you think he was working with Windows apps?

Computers are insecure. Networked computers are even more insecure. Windows is the low hanging fruit. I know it sounds tired, but if Linux had the same market share as Windows, you'd see the same kind of cat and mouse game going on between security researchers and malware programmers. If you put Ubuntu 9.10 on 80% of computers connected to the internet, and loaded it up with the 10 or so typical apps that people use (word processors, web browsers, Flash, etc), within six months you'd see vulnerabilities popping up left and right.

At the end of the day, it's all software running on an x86 processor. All it takes is one lazy coder, one tired QA guy, or one bad library and you have a zero day exploit. Computers need to execute code. You can only run so many checks on any given input. You can only limit the functionality of a module so much before it becomes useless. You can only bug users with "Are you sure you want to run this?" prompts so many times.

If you want an idea of a secure operating, turn your web browser security settings to Prompt/Ask. JavaScript, HTML, XML, EVERYTHING set to prompt. Spend a week browsing the web in that configuration. Let me know how you like it.

Re:MS was concerned about how this was exposed?

[roystgnr]

should you cry fowl when there are negative consequences?

Certainly not. That would be ducking responsibility.

Re:MS was concerned about how this was exposed?

[GNUALMAFUERTE]

Bullshit. When you find a security issue in a piece of Free Software, you feel compelled to fix it. You can fix it and submit the patch (and get the credit for it) without leaving your desktop. Everything is there. do a svn checkout, fix, commit. That's all. People will thank you, and you'll feel great.

When you find a security issue on a microsoft product, you have to:

Find a way to report the bug. You know, it's not simple ... contacting someone in there is impossible. you can send an email and blindly wait for it to be fixed. But behold, if they do take your bug report, they are probably not going to fix it. Wait six months sitting on the bug report. When it becomes public, they'll first sue you for attacking their OS, and most likely win. If you publish the bug on your blog, you'll get threats and DMCA takedown notices. Then, 3 months layer, they'll quietly patch it, with a 200mb security update, that will break 10 other applications, cause every machine to blue screen, and probably introduce 10 new vulnerabilities. 2 Week later, they'll start telling people to NOT install that latest service pack. A year later, the patch will go away due to some other update that fixes it, or some other external agent (like an antivirus software) "fixing" the issue. 5 years later, a brand new version of windows will come out, and the bug will resurface.

And, whatever happens, you won't get any recognition, and windows will still be totally insecure. Microsoft will still make billions out of it.

So, why help? For all I know, the best strategy to a more secure Internet is to let microsoft die ....

Re:MS was concerned about how this was exposed?

[causality]

Computers are insecure. Networked computers are even more insecure. Windows is the low hanging fruit. I know it sounds tired, but if Linux had the same market share as Windows, you'd see the same kind of cat and mouse game going on between security researchers and malware programmers. If you put Ubuntu 9.10 on 80% of computers connected to the internet, and loaded it up with the 10 or so typical apps that people use (word processors, web browsers, Flash, etc), within six months you'd see vulnerabilities popping up left and right.

It does sound "tired" and I appreciate that you are up-front enough to concede this, but in the same spirit I can admit that it's not unreasonable to wonder it. Still, I have a simple issue with this argument. While it has nowhere near the marketshare of Windows, there are still millions of Linux computers connected to the Internet. Compared to Windows, a disproportionately large number of Linux machines are beefy servers with large amounts of bandwidth. If they were as easy to take over as a home user's Windows machine, they would be more attractive targets. Yet there are no successful viruses or other self-replicating malware programs for Linux in the wild. There are proof-of-concept viruses, but they do not propagate on the Internet.

At the end of the day, it's all software running on an x86 processor. All it takes is one lazy coder, one tired QA guy, or one bad library and you have a zero day exploit. Computers need to execute code. You can only run so many checks on any given input. You can only limit the functionality of a module so much before it becomes useless. You can only bug users with "Are you sure you want to run this?" prompts so many times.

My disagreement here is that you don't need to prompt the user or enable any highly exotic verification to prevent the exploit that is the subject of this article. All you need is some decent sandboxing. Yet one of the most powerful, resourceful, and well-staffed software companies in the world failed to implement it for this version of Windows. Something there does not add up.

If you want an idea of a secure operating, turn your web browser security settings to Prompt/Ask. JavaScript, HTML, XML, EVERYTHING set to prompt. Spend a week browsing the web in that configuration. Let me know how you like it.

In my opinion, you are engaging in quite a bit of hyperbole there. On my Linux system, the "help" function (in my case, a part of KDE) is implemented by binary executables that are owned by the root user while readable and executable (but not writable) by the user who is running them. Firefox, which runs in a similar fashion and also has the privileges of my normal non-root user, cannot affect the KDE online help even if it wanted to. This is an example (and not the best one) of the principle of least privilege. Firefox doesn't need to have the power to modify other parts of the system, so it has no such power. Simple.

There's no need for me to enable any extra confirmation dialogs, or anything else in order to achieve this. I simply enjoy it as part of the fundamental design of this operating system. I have a very hard time believing that one of the most well-funded, well-staffed software companies the world has ever seen was not capable of either matching or surpassing this level of robustness. This was already a standard feature of Linux before XP was released. That isn't the sort of "innovation" they keep talking about. It's more like a bad job of playing catch-up now that more recent Windows versions have improved in this area.

Windows is not merely the low-hanging fruit. It's more like the pre-chewed fruit that is already partially digested. Perfect security is of course not possible. But if you want to eliminate all the large botnets and spam networks, that's easy: make Windows security strong enough that automated attacks will not compromise it. Make it

Re:MS was concerned about how this was exposed?

[dweller_below]

Angry or not angry, the point is that disclosing security bugs directly to the vendor first minimizes harm to end users - assuming, that is, the vendor feels sufficiently motivated to fix the bug.

IN A TIMELY MANNER.

You forgot the bit that's at the core of the disclosure debate. Virtually everybody in the security industry agrees on the principles of disclosure. All the flames are over the timing.

In one corner, we have Microsoft. They appear to believe in full disclosure, once the disclosure will have no adverse effects on stock price or profitability.

In another corner, we have a tiny handful of scum sucking, mercenary security researchers who believe that disclosure will happen just as soon as they get paid. And the terms of that disclosure will be whatever the purchaser wants.

In the other corners, and carpeting the entire floor, are all the rest of the security community. They believe that full disclosure must happen in a time-frame that minimizes damage to the user community. They just can't agree on when that might be.

This lack of a concensus has made it easy for Microsoft to define the current terms of disclosure. The result has been suppression of disclosure for longer and longer periods. The inevitable consequence is more and more '0' day exploits.

In September 2009, SANS released an excellent State-of-the-Internet on the top cyber security threats: http://www.sans.org/top-cyber-security-risks/ One of their points was:

"World-wide there has been a significant increase over the past three years in the number of people discovering zero-day vulnerabilities, as measured by multiple independent teams discovering the same vulnerabilities at different times. Some vulnerabilities have remained unpatched for as long as two years."

To demonstrate this issue they enumerated the history of MS08-031:

For example, MS08-031 (Microsoft Internet Explorer DOM Object Heap Overflow Vulnerability) was discovered independently by three researchers. The first researcher submitted remote IE 6/7 critical vulnerability on Oct 22, 2007. A second independent researcher submitted the same vulnerability on April 23, 2008. A third independent researcher submitted the same vulnerability on May 19, 2008. All three submissions outlined different approaches of auditing and finding the same vulnerability.

What goes unstated is while 3 'responsible' researchers disclosed to Microsoft and waited and waited, unknown numbers of hackers also discovered the vulnerabilities and exploited them.

Just this week, a dozen well managed, fully patched, WinXP (with .NET installed) computers at my institution were compromised by clicking on a major news site (http://www.ksl.com/index.php?nid=148&sid=9814436).

Microsoft would have us believe that this is acceptable. But really, would immediate, full disclosure be any worse?

Miles

Re:MS was concerned about how this was exposed?

[10101001+10101001]

They think malware and other system compromises are an inherent aspect of owning a computer.

They are. In the 1990s, despite "Windows boxes in the internet" (if you had a SLIP connection), all of the exploits that I saw were targetting SunOS and BSD. They were going after Apache. When Aleph One was writing about buffer overflows, do you think he was working with Windows apps?

So, because in the past there was malware, inherent there must be malware. Hmm..I guess small pox and polio are just things we'll forever have to deal with*.

Computers are insecure. Networked computers are even more insecure. Windows is the low hanging fruit. I know it sounds tired, but if Linux had the same market share as Windows, you'd see the same kind of cat and mouse game going on between security researchers and malware programmers. If you put Ubuntu 9.10 on 80% of computers connected to the internet, and loaded it up with the 10 or so typical apps that people use (word processors, web browsers, Flash, etc), within six months you'd see vulnerabilities popping up left and right.

Oh, I have little doubt of that. Computers are insecure because we accept that. Linux might be more secure but in many ways it's only marginally so. A Unix-clone is no more the salvation of computer technology than the malware ridden SunOS you mentioned before. The fact that OSs are generally written under a bad design is the fundamental problem, but it's not really an insurmountable one.

At the end of the day, it's all software running on an x86 processor. All it takes is one lazy coder, one tired QA guy, or one bad library and you have a zero day exploit. Computers need to execute code. You can only run so many checks on any given input. You can only limit the functionality of a module so much before it becomes useless. You can only bug users with "Are you sure you want to run this?" prompts so many times.

It's funny, but that's precisely the reason why secure software is possible. The x86 processor is a known device. The software running on it is known. The chance of cosmic rays changing software is known and compensable. As you note, the current structure of development is focused on it taking but one lazy coder, QA guy, or ancestor code from libraries for something bad to happen. Yet, odds are good that most programs do not to be written in turing complete languages. In fact, technically, software isn't written on turing machines. Quite simply, there are various design decisions that can reduce much software as automatically provably correct and the vast majority that cannot be automatically proven correct can be either manually proven correct or tested with sufficient tolerance by sufficient numbers of people that actual bugs in the software and the design are so remote that, while not a non-issue, would not be remotely in the field of "computers are insecure".

If you want an idea of a secure operating, turn your web browser security settings to Prompt/Ask. JavaScript, HTML, XML, EVERYTHING set to prompt. Spend a week browsing the web in that configuration. Let me know how you like it.

Now, this is some truth to this. Having a secure computer is near worthless if the user has no value to keeping the system secure. Yet, clearly, the issue is that users cannot reasonably associate one's actions with harm. This is in vast part because the things that software done is significantly hidden and unreversable. To make an analogy, it would be like being the guard at a prison and having merely the capability to allow or deny a person without being able to search them at any time, generally witness their activities but only the results at the end of the day, or readily revert the damage a visitor might do. Clearly, the granting power to the user cannot simply be allow or deny. Perhaps there are many who do not care or wish to c

Re:MS was concerned about how this was exposed?

[ericvids]

Even better is that Prodeus actually notified them.

By Prodeus' account, he notified Microsoft of the flaw Feb. 1, about four weeks before publishing his findings.

What's hilarious is that Microsoft is basically angry with a straw man.

Re:MS was concerned about how this was exposed?

Linux servers on the Internet are very, very differently configured from Linux computers for home use, so I don't think that's a valid comparison. They're also far more likely to have a competent admin monitoring them.

They can, but they won't, and that's my issue with them.

This doesn't repro on Vista, so it's been fixed for over 3 years. They didn't allow free upgrades to Vista, true (and according to lots of slashdotters, they wouldn't have taken it if offerred).

Re:MS was concerned about how this was exposed?

[dave562]

It does sound "tired" and I appreciate that you are up-front enough to concede this, but in the same spirit I can admit that it's not unreasonable to wonder it. Still, I have a simple issue with this argument. While it has nowhere near the marketshare of Windows, there are still millions of Linux computers connected to the Internet. Compared to Windows, a disproportionately large number of Linux machines are beefy servers with large amounts of bandwidth. If they were as easy to take over as a home user's Windows machine, they would be more attractive targets. Yet there are no successful viruses or other self-replicating malware programs for Linux in the wild. There are proof-of-concept viruses, but they do not propagate on the Internet.

It comes down to target market. The people running Linux servers are qualified administrators. Linux servers are generally role specific. They probably only have a few apps running on them. Unless a network is being run by someone without a clue, Windows servers aren't getting taken apart by driveby downloads. The exploits are happening in one of two cases. Either internal users are leave the secured network and hitting compromised sites, or social engineering-esque exploits are coming in through the mail system, IM, etc.

You brought up Linux servers and then jumped sidways to talk about home Windows boxes. What are we talking about here, apples or oranges? Servers or workstations? What percentage of the Linux boxes are all running a uniform kernel and distro? Where are the consistent apps on every platform? Think like a malware writer for a second. Think like someone trying to find where in RAM an offset is going to be living. Think of an infection vector. What are you aiming for on Linux? KDE? Gnome? X? What revision? Be a serious for a second. If you know enough to write exploit code, what pool are you aiming for? Where you are going to focus the limited time that you have?

Think about the real world. Movie-esque financial heists where you clear millions of dollars out of a compromised system don't happen (unless you work for Wall Street, and then it's legal). Real world fraud is done with compromised credit cards and bank accounts. That data is swapped across the web and kept in Quickbooks. It is locked up in bank websites that have easy to intercept (on a compromised system) authentication mechanisms. If you were going for money, where would you go? Windows, or Linux? Fraud is a numbers game. System cracking is mostly automated. You find an exploit, write a bot and start scanning for the vulnerability. Out of any given Class B block, what percentage of IPs are Windows boxes? What if you're targeting Charter, Time Warner or Cox?

It all comes down to the users, and the numbers of them. It takes time to write an exploit. If you were to roll out 450,000,000 Ubuntu 9.10 workstations with the same web browser and mail client and give them to the general public, you'd have exploits. You'd have exploits if the general public were storing data that thieves cared about. You'd have "Linux Antivirus 2010" the first time someone figures out how to trick a user into downloading a script that resizes their desktop, or randomly changes a .conf file. From there how long until a user "clicks here" on the identical to Canoncial's system message themed dialogue to fix it? How long do you really think it would be before someone finds where Thunderbird or whatever client you want to load with Ubuntu stores its address book? Does Ubuntu desktop even have ufw on by default? I know I had to enable it myself when I loaded 8.04 LTS server. What would stop someone from kicking off an smtpd process, or loading some code to piggy back on Thunderbird?

Arguing Linux versus Windows in the hands of John Q Public is sort of like trying to prove or disprove God at this point. We don't have a large enough sample size to make definitive statements on. IMO, human nature doesn't go away because people use different OSes. The

Re:MS was concerned about how this was exposed?

[Locutus]

because without what Microsoft wants in keeping vulnerabilities secret, security by obscurity does not work. So of course they are angry, they're fighting a losing battle.

LoB

Re:MS was concerned about how this was exposed?

[Tim+C]

I frequently hear this type of reasoning. It should be listed as a known/cataloged talking point so we can all absorb it once and move on, instead of seeing it rehashed every time this sort of discussion comes up.

If we did that with every oft-repeated argument or piece of information on here, the number of comments attached to most articles would drop through the floor.

For example your discussion of the fact that insecure machines affect everyone on the net is hardly new. In response, I will merely refer you to the common talking point "it's the users, not the OS" (or "if everyone ran *nix machines the same naive/uncaring/stupid users who get their Windows machines infected would get their *nix machines infected and the problem would remain the same").

Re:MS was concerned about how this was exposed?

[Rockoon]

They are. In the 1990s, despite "Windows boxes in the internet" (if you had a SLIP connection), all of the exploits that I saw were targetting SunOS and BSD. They were going after Apache. When Aleph One was writing about buffer overflows, do you think he was working with Windows apps?

This is exactly what these newbies just don't know. (thats right, most of you slashdotters are newbies to the internet.. 5 or 10 years? lol.. newbs)

A small snippet of the security problems on the early internet are in CERT Advisory history. When the internet was mostly unix, unix-like, and VMS machines.. there were plenty of exploits for unix, unix-like, and VMS machines.

Re:MS was concerned about how this was exposed?

[lskovlund]

This doesn't repro on Vista, so it's been fixed for over 3 years. They didn't allow free upgrades to Vista, true (and according to lots of slashdotters, they wouldn't have taken it if offerred).

They didn't "fix" it by fixing the bug, they fixed it by removing the component (according to other posts, at least; I don't use Windows). So the question is: Does removing a component for entirely unrelated reasons amount to a will to "fix" the bug? In my view, no - it only demonstrates that they were willing to remove the component for unrelated reasons.

Re:MS was concerned about how this was exposed?

[dave562]

So, it is quite amazing that humanity has effectively wiped out small pox and there are efforts to wipe out polio, yet there's some supreme denial that we could ever hope to have a computer ecosystem that approaches that sort of environment with malware presuming just reasonable efforts.

Small pox and polio were arguably a survival of the species threat. A compromised machine sending out v1gr14 spam doesn't evoke the same, "Oh crap, we're going to DIE if we don't get this taken care of." level of response.

As others have pointed out, the issue with security and OS design comes down to cost. It involves a VERY LARGE number of production systems. Microsoft can't pull an Apple and just yank the plug on their 3% of the market and then release OSX and force everyone to buy their applications over again. Instead the best that we can hope for are incremental upgrades, and in the absence of upgrades, alternatives and better ways of doing things (in the form of Linux or what have you). Take a look at IE8 running on Win7 with DEP and ASLR. Will someone eventually break that combination of technology? Of course they will. But you can see the improvement. TFA this discussion is part of is about IE on XP. We might as well be crying about Netscape on Win95. Stop the presses! "Glitch found in 8 year old OS running legacy, depreciated browser!" It just re-enforces my statement about malware targeting. They go for the low hanging fruit. They go for the most widely adopted technologies. There are way more XP and IE6/7 boxes than there are Win7/IE8 boxes.

http://dvlabs.tippingpoint.com/blog/2009/03/27/pwn2own-ie8-exploit-foiled-is-the-browser-finally-secure

The last time I personally saw a compromised Windows server in the real world was in 2004. It was a NT 4.0 SP6a machine. A client, despite being told not to, setup an unsecured wireless access point. They were next door to a Starbucks. It lasted a little more than a week before some exploit code blue screened it. On the workstation front, I haven't seen a workstation that I was responsible for compromised in four or five years at this point. However having spoken to friends and colleagues, I know that Windows boxes are getting owned through no real fault of their users. I don't hold users responsible for not being able to cough up the cash for real, external to the box itself, security products.

There are mitigation measures available to address most of the security concerns, and for most people and organizations, those measures are good enough. It is a cost of doing business that Microsoft passes onto their customers. The customers eat the cost because they need the apps. Customers are faced with spending money one way or the other. They either spend on security products and software updates, or they spend on development resources and build their own applications. Microsoft isn't the only vendor that pushes security updates. It seems like my Java VM updates itself once a month or so. Apple is pushing updates. Adobe is pushing updates. My Ubuntu box runs apt on a cron job to get updates. Software needs to be kept up to date.

As I've said before, if I were a developer, I wouldn't be using Microsoft technology because I've seen first hand what happens when you expect a customer to cough up thousands of dollars for Windows Server and SQL licenses ON TOP OF the cost of your application. The hosted in house on a Microsoft server market is rapidly shrinking. There is a reason Microsoft offers SQL Server MSDE. It is hard to compete with free. But this is getting off on a tangent, and flying far afield of the original point about small pox and computer security.

To use the health analogy, there are vaccines available. There are IDS and IPS products. There are proxy security products. There are AV products. If you're a responsible parent, you innoculate your children.

Re:MS was concerned about how this was exposed?

[brkello]

My blah blah blah wasn't hand waving what you were saying away, it was that while you write a lot, you aren't really making any point that matters. But let me address why I think this...I honestly am not trying to be flamebait.

I disagree with your assertion that a company (millionaires or not) can create a perfectly secure OS. Linux is not secure. Macs are not secure. 7 has actually made a lot of effort at being more secure. But as long as you are connected to a network, you are vulnerable. I don't care how good your coders or how much money you have, for a computer to function, there are going to be vulnerabilities. That's why if people really want to secure their data, they have stand alone networks.

Can MS do a better job? Sure. Is it the garbage that Slasdotters like to claim? Not at all. It isn't the most ubiquitous OS ever because it does everything poorly.

Ok, so your main point is that Windows users are dumb for using Windows and they deserve to be infected with malware. As a security researcher, this strikes me as extremely naive. Any OS that gains a majority of the marketshare is going to be a prime target. And if you are honest, the way most computer are infected are through social engineering. I.e. making people click on stuff they shouldn't click on. Users are going to always be the weak point of the system regardless of OS. Windows is targeted because it has the most users and the majority of business is conducted on windows so it is going to be a target. If Linux takes over, I guarantee you will see that issue.

I find your view that you shouldn't care about people to be a bit sad. Your argument is similar to saying "well, she dressed slutty, she deserved to be raped." Yeah, you don't use Windows, so you don't care. Great. A lot of people do. What is the best way to deal with vulnerabilities on any platform? Just release it to the public and let the hackers go crazy with it? That sure puts pressure on the company to patch it, but it leaves people vulnerable until they are able to find the best way to fix it. Or you can tell the company privately there is a problem and hope they fix it. But we know that doesn't put much pressure. So, as I stated, a common sense approach would be to tell them privately and then release it publicly after a reasonable amount of time.

Your argument about not caring about Windows users because they should be putting market pressure on MS to change is just fantasy. It isn't going to happen. I am a factual person as well and I am dealing in reality. People are going to be use Windows no matter how much you say they shouldn't. You are debating whether people should be using Windows...which just isn't realistic. They are going to be using it. So we get back to the real debate which is how to disclose vulnerabilities.

Re:MS was concerned about how this was exposed?

[brkello]

It's simple. People aren't checking mail on a server. They are designed to be secure. People using Windows are using it as their home computer and clicking on all kinds of e-mail attachment and websites. Completely different user model.

Re:MS was concerned about how this was exposed?

[10101001+10101001]

So, it is quite amazing that humanity has effectively wiped out small pox and there are efforts to wipe out polio, yet there's some supreme denial that we could ever hope to have a computer ecosystem that approaches that sort of environment with malware presuming just reasonable efforts.

Small pox and polio were arguably a survival of the species threat. A compromised machine sending out v1gr14 spam doesn't evoke the same, "Oh crap, we're going to DIE if we don't get this taken care of." level of response.

As devastating as polio was, it was never a "survival of the species" threat. Flu regularly kills many more people. No, the reason polio was targeted was because of its debilitating effects on survivors that had neurological infection. In fact, small pox was likely targeted for a similar reason (facial scares were common in many and like polio, there was a small chance of adverse secondary effects; in smallpox, those secondary effects were blindness and limb deformity)--of course, the existence of an effective vaccine for 99% of strains help. Of course, for polio the "March of Dimes" actually started *before* a vaccine was created. It took the disability of a president (FDR) to push a business-type man to really see the polio thing through, not simply as a program to create a vaccine (which was being researched regardless) but as a means to eliminate the disease across the whole US.

Btw, the really bad part of infected machines has more to do with copying a person's financial records, not the possible spamming. Perhaps that will motivate people to push for an actually secure system.

As others have pointed out, the issue with security and OS design comes down to cost. It involves a VERY LARGE number of production systems. Microsoft can't pull an Apple and just yank the plug on their 3% of the market and then release OSX and force everyone to buy their applications over again. Instead the best that we can hope for are incremental upgrades, and in the absence of upgrades, alternatives and better ways of doing things (in the form of Linux or what have you). Take a look at IE8 running on Win7 with DEP and ASLR. Will someone eventually break that combination of technology? Of course they will. But you can see the improvement. TFA this discussion is part of is about IE on XP. We might as well be crying about Netscape on Win95. Stop the presses! "Glitch found in 8 year old OS running legacy, depreciated browser!" It just re-enforces my statement about malware targeting. They go for the low hanging fruit. They go for the most widely adopted technologies. There are way more XP and IE6/7 boxes than there are Win7/IE8 boxes.

I see, so what you're saying is Microsoft couldn't release Win7/IE8 to improve security because people are still using Win XP/IE6? No, Microsoft can't "force" people to upgrade their systems. But, clearly, if Microsoft doesn't even bother to make a secure system, then it's quite impossible for people to upgrade to a Microsoft-produced secure system. Yes, people will still choose to run insecure systems. This whole discussion isn't about the fact that XP boxes can be infected (as ridiculous as the mentioned defect is). It's that Win7/IE8 isn't a secure OS/web browser. Yes, DEP and ASLR can help things (btw, IE8 under XP runs with DEP too), but they're merely stopgaps. So is OS X.

http://dvlabs.tippingpoint.com/blog/2009/03/27/pwn2own-ie8-exploit-foiled-is-the-browser-finally-secure

Yep, that link proves my point about DEP/ASLR in Win7/IE8 being a stopgap.

The last time I personally saw a compromised Windows server in the real world was in 2004. It was a NT 4.0 SP6a machine. A client, despite being told not to, setup an unsecured wireless access point. They were next door to a Starbucks. It lasted a little more than a week before some exploit code blue screened it. On the workstation front

Redundant advice

F1 in Windows, Office or MSIE has never caused any useful information to be displayed, so why would anyone ever press it in the first place?

Re:Redundant advice

[Barryke]

The person who modded this as Funny apparently never tried this.

Nothing even remotely related to the problem you experienced just before pressing F1 is displayed. This always surprised me.
It should open the helppages for the recent errors the OS experienced by default. IMHO

Windows Help F1

[edsousa]

This won't affect anybody: those users that aren't very computer literate don't even know that help exists and is one key away... the other ones already know that windows help won't lead you anywhere!

Re:Windows Help F1

[blackraven14250]

Ever heard of people who know just enough to be dangerous?

Re:Windows Help F1

[Barryke]

Hi. Press this execute button every 108 minutes. I'm off, tata!

Wishful thinking

"Microsoft is concerned that this new report of a vulnerability was not responsibly disclosed, potentially putting computer users at risk. We continue to encourage responsible disclosure of vulnerabilities. We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone's best interests. This practice helps to ensure that customers receive comprehensive, high-quality updates for security vulnerabilities without exposure to malicious attackers while the update is being developed."

Call me a cynic, but I've got to be honest: The net effect may be positive, but I don't believe that Microsoft's idea of 'responsible disclosure' results in high priority investigation and timely patching of MS products.

Re:Wishful thinking

[sorak]

"Microsoft is concerned that this new report of a vulnerability was not responsibly disclosed, potentially putting computer users at risk. We continue to encourage responsible disclosure of vulnerabilities. We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone's best interests. This practice helps to ensure that customers receive comprehensive, high-quality updates for security vulnerabilities without exposure to malicious attackers while the update is being developed."

Call me a cynic, but I've got to be honest: The net effect may be positive, but I don't believe that Microsoft's idea of 'responsible disclosure' results in high priority investigation and timely patching of MS products.

Only on Tuesdays.

F1 key?

[shivamib]

I tried it and got a Firefox friendly help tab. F1 is the second most annoying key.

What you really don't want to press is that cursed, evil POWER key. You know, when you're trying to find the Page Up ke

Nothing to Worry About...

[johnshirley]

Most users rarely use the F1 key for its intended purpose: to get help on whichever application they're fumbling through and instead just ask the nearest person to them who "knows a lot about computers" for help. So, the risk here is probably pretty small.

Not such a bad advice

[Alien1024]

Given the quality of the F1-contents these days, especially in MS apps, that's not such a bad advice - google instead.

Re:Not such a bad advice

[Opportunist]

I have yet to stumble upon a helpful help page in Visual Studio 08. Usually a search with Google ends up faster on a relevant MSDN page than pressing F1 in VS.

Interesting enough, it is also more relevant than a search inside the MSDN or using Bing. You usually do NOT find the same MSDN content as quickly within MSDN or with Bing, but instead get offered pages that try to cram some MS-interface down your throat. Maybe nice if you're programming with that interface, but utterly useless if you're using C++ instead of whatever web-aware magical brewitup crap MS tries to push currently.

Re:Not such a bad advice

[Saint+Stephen]

I never buy this line of reasoning. I think the VStudio MSDN help is a lot easier, especially when you want to learn about 50 different methods all in a couple of seconds. Online, it requires 50 different page reloads. In the MSDN help, the pages load instantly. I guess I always use the index - the search itself is useless. Must be because I've been using it for a bazillion years.

I rememeber when the first MSDN was just a bundle of KB docs, and they put a little index on it. Boolean searches! More powah!

Re:Not such a bad advice

[barzok]

Unless you count MS's development tools; the online help there is excellent. Forget the order of the parameters for REPLACE() in SQL? F1 takes you right there.

Re:Not such a bad advice

[swilly]

What I have found useful is searching for the MSDN page using Google by appending site:msdn.com to the search. Once I have found the page I wanted, I would then navigate to it using the MSDN help tool and bookmark it there. I agree that the MSDN tool is more convenient than looking at the docs in a web browser, but it's amazing how much better Google is at searching than the MSDN built in search tool is.

Re:Not such a bad advice

[Barryke]

I prefer the CTRL+SPACE trick in most IDE's.

Re:Not such a bad advice

[Alien1024]

Maybe that's the case for SQL. But try finding, e.g. DateTime format strings in .NET. Googling '.NET datetime format' (without quotes) returns the right MSDN page as the first result, whereas if you use the VS online help you have to navigate through quite a few pages to get there. And I find the IE-powered help viewer in VS much more sluggish than Chrome, even with locally stored help.

Does it affect Firefox on XP?

[BitterOak]

The security advisory says the problem has to do with the way Internet Explorer interacts with the help system. Does anyone know if Firefox users are vulnerable?

Re:Does it affect Firefox on XP?

[BitterOak]

Thank you for that very insightful reply. I'm surprised you haven't been modded up to +5 yet. Anyhow, what I was trying to ask, and perhaps I didn't phrase the question clearly enough, was does Firefox use the help system in the same way as IE? It wouldn't be the first time vulnerabilities affected more than one piece of software.

Re:Does it affect Firefox on XP?

[natehoy]

No, Firefox has its own help system. Press F1 for help in Firefox, and it will open a new tab pointing to a help page on support.mozilla.com.

Go ahead, try it. It's safe.

Re:Does it affect Firefox on XP?

[omega6]

On windows XP, help always launches in IE no matter what your default browser is. (In Vista/7 you can remove IE)

A temporary fix

One way to avoid security problems is to also avoid the "ON" button.

I thought it said 'don't press the 'F' key'...

[TeethWhitener]

This is ucking ridiculous. I'm a ullerene chemist, or uck's sake!

Re:I thought it said 'don't press the 'F' key'...

[courseofhumanevents]

+1, unny

Re:I thought it said 'don't press the 'F' key'...

[Dumnezeu]

The Ph key? Is that next to the Any key?

Re:I thought it said 'don't press the 'F' key'...

[Nick+Number]

The Ph key? Is that next to the Any key?

Finding it is sort of a litmus test.

This is ridiculous

[bl8n8r]

I find it fascinating just how long everyone has been putting up with the crap attitude towards security involving windows. Internet explorer has been the biggest wastes of disk space since there have been alternatives out there and it's amazing to me how many bone-headed people and developers are still insisting on using it. Microsoft must be very proud of itself.

Re:This is ridiculous

[maxume]

No, if you are using Firefox, the VBScript that triggers the exploit will not be run.

(I guess the exploit is still there, but I'm not sure how it is going to do anything, as the trigger requires malicious code to be loaded into IE, and then the user needs to press F1 while the code is doing its thing)

Re:This is ridiculous

[Arker]

I'm not sure of the mechanism, but more than once I've seen IE pop up to handle a specific file on a machine where firefox was set as the only browser allowed to run. So no, it may be less likely, but it is not impossible.

Re:This is ridiculous

[GNUALMAFUERTE]

What do you mean "since" there have been alternatives?

Internet Explorer came in late to the party. There were browsers after IE, and there are browsers after IE.

Same with windows. There were OSs before, and there are OSs after.

Anyone calling a certain software "alternative" to a given microsoft solution is just showing that he has less than 15 years of experience in computing, and that he hasn't learn a thing in those 15 years anyway ...

To read the rest of this article...

[edelbrp]

press F1 to continue.

Re:To read the rest of this article...

[deniable]

Even funnier if that's a BIOS message. No, don't press F1 if you're in Windows, yes if it's starting up, no not in IE. Help-desks of the world, I feel your pain.

Yes, AutoHotkey. Change any key to anything else.

[Futurepower(R)]

He's right. AutoHotkey is excellent. Change any key to anything else, or to a sequence of keystrokes.

Opens new doors...

[mgichoga]

We're sunk! What happens someone finally figures out the space bar hack?

Re:Opens new doors...

[pavon]

well.my.space.bar.shift.key.and.delete.key.on.my.cell.phone.stopped.working.after.i.got.into.a.hot.tub.with.it.in.my.pocket....so.now.my.texts.have.to.be.written.like.this.with.periods.for.spaces.and.mistakes.pushed.to.the.end.of.the.message.........htisdropwhenbrokdp

Re:Opens new doors...

[ThePromenader]

...andGodForbidTheyAlsoFindTheEnterKeyHack?<br>Eeek!

I cannot think of a better way to spread this

[NicknamesAreStupid]

than to tell people not to do it. Call it fatalism.

Having seen the average MS help file...

[Chris+Mattern]

...you're not losing all that much.

Except ...

[bkeahl]

Don't press the F1 key in XP after running Internet Explorer ... unless it's Wednesday, a third Tuesday of the month, or the moon is Gibbous. A browser should NOT be so integrated to the operating system to allow this sort of behavior!

Damn!

[Korbeau]

I'll have to stop missing the ESC and ~ key!

Most annoying thing: press F1 in a software like Visual Studio and have to wait 5 minutes for it to refresh online help.

Re:Yes, AutoHotkey. Change any key to anything els

[zapakh]

Can I change another key to be the any key? I can never find that darn thing.

AutoHotkey: Editor with syntax highlighting.

[Futurepower(R)]

AutoHotkey has its own free editor with syntax highlighting.

I just checked. My AutoHotkey script is 1,639 lines, 52,140 bytes. That doesn't include the special scripts.

The source code is available, as is a GUI creator.

The AutoHotkey programming language is quirky.

AutoIt has a more standard language. AutoIt is better for complex automated installation scripts, for example. AutoHotkey is better for hotkeys. Both offer compilation of their scripts to .EXE files.

RTFM..yeah right

Like windows users know what the F1 key is..or how to help themselves. That's why they use windows to begin with.

Microsoft Interview

[dawilcox]

I interviewed with Microsoft for a development position a few weeks ago. I found that the interviewers were very arrogant. They assumed they knew all the details about my past projects. It felt like politics with them would be horrendous because everyone is showing each other up.

Needless to say, I turned down the job offer. It doesn't surprise me how they keep making flub ups like this when the people at their company are so arrogant.

Funny you should mention this

[BitterAndDrunk]

My shitty tech blog posted something relevant to your interests.

Breaking

[aoeu]

Microsoft admits that their 'Help' is harmful.

I tend to mix/match

[BitterAndDrunk]

Due to AHK's quirkiness (limitations + my ignorance) I intermingle python/bash scripts with autohotkey.

Re:I tend to mix/match

[__aasqbs9791]

I seem to recall the Necronomicon mentioning that as a way to summon (but not bind!) a Byakhee...

don't worry!

[swigabyte]

I never hit F1. I've found windows help to be absolutely useless.

Oops!

[nastro]

I hit F1 by accident at least once a day trying for the Esc key.

They are the ones who code unresponsible

[Ilgaz]

Speak with a Windows Developer to learn about the power of "Help" and amazing things it can do. Remember, VBScript is there so it can be exploited. It can also launch apps, you can even embed registry files to help files (saw pc pitstop did it, in white hat way.

They never sit and think why the hell that exploit exists, they just want to release 10002020th patch for a broken thing.

(Obviously, Apple is so lame and old fashioned to stick with plain html files)

If that Polish researcher sold the exploit to black hat mafia for 1M dollars and it took months to figure the cause of a ILOVEYOU sized infection, they would see what irresponsible is. Remember, ILOVEYOU was coded for lame reasons and show off... These days, worms are coded for huge black hat economy nobody dares to predict.

An easier solution

[TropicalCoder]

Wouldn't it be simpler just to use a different browser? geez - they could have pointed that out in the FA. I was about to add a comment to that effect there - then I saw, written above the comment box "Sponsored by Microsoft". I guess that's why they didn't recommend trying a different browser...

Re:An easier solution

[dissy]

Wouldn't it be simpler just to use a different browser? geez - they could have pointed that out in the FA. I was about to add a comment to that effect there - then I saw, written above the comment box "Sponsored by Microsoft". I guess that's why they didn't recommend trying a different browser...

I'm not positive that will solve the problem.

While IE does have it's own help system that is invoked with F1, the majority of that help system is actually part of windows and runs almost whenever you hit F1.

Basically an application must specifically trap the F1 key, and of course be running and in the foreground when you hit the key, for the exploit to not be able to function.

Firefox does have it's own F1 help system that is html/css based instead of windows help based, but the very first version of opera I used a while back DID use windows help, so you could get yourself infected in that browser too.

Instead of worrying about each browser to see if they support windows help or not, or instead of making a blanket false statement that any other browser will be OK, I wanted to lookup and find a global solution (One that works in all browsers, and in fact all applications)

Granted I don't know for sure if that is even the case, so it's really a moot point.

Re:An easier solution

[FreeFull]

You missed that the vulnerability depends on VBScript, which only IE supports

Re:An easier solution

[dissy]

You missed that the vulnerability depends on VBScript, which only IE supports

I didn't miss that. I did however miss where it states IE must be running with its full GUI interface in order to be a problem however...

After all, IE is in pretty much every other MS app that has to do anything with web sites, and pretty much most things to do with the internet (For some reason, MS loves redeveloping all the existing TCP protocols, but doing them over HTTP)

The IE object used for that comes with IEs VBScript, which invokes windows help center, which just in case this also needs stated, runs on top of windows which is running on a computer :P

Unless it is very specific to 7 versions of IE (major rev 6-7) and their specific GUI, vbscript, and help center systems.
As I said, the article didn't seem to say, and I have F1 disabled already accrost the entire system.
(Yes, IE and VBscript too are both still part of the 'entire system')

Firefox/Apple/Opera can't fix core OS

[Ilgaz]

It doesn't sound great for publicity but, Firefox/Opera/Safari developers should really educate newbies telling they _still have to have windows security updates_ whether they use IE or not.

It is a core part of OS they are running and it will stay for a long time. I saw many people who doesn't update windows just because they use Firefox. Some rare cases, they didn't even have antivirus installed.

OS X scene isn't that horrible yet but for Windows, not having security updates is really crazy unless you are on a isolated/secured/mission critical machine.

Also...

[davidbofinger]

Also, if you type "google" into google, you can break the internet so don't do it, even as a joke.

Did you use fat32--ntfs converter?

[Ilgaz]

The stock command coming with XP can convert FAT32 to NTFS in matter of minutes. I guess it would take seconds if it didn't do a chkdsk internally. Now, instead of all that trivial junk being told to user while installing Windows XP, MS could say "We introduce a new filesystem with Windows XP, it is faster, more reliable and has more features. It also makes checking disk needless." with "Convert my startup drive to NTFS" checkmark selected.

That time, users would move to NTFS and no, they would still have no clue about the filesystem they run. So, for 8 years, everyone could be running some kind of modern filesystem rather than something designed for DISKETTES.

Apple did it when they were absolutely sure journaling doesn't create problems for 99.999% of users, with couple of clever UI tricks, they made sure everyone enabled journaling. They still do the similar tricks to prevent users easily disable journaling (mostly because of FUD on www). I wasn't around on Mac scene when HFS got upgraded to HFS+ but I am sure they did similar tricks to make users move and get rid of archaic filesystems.

Re:Did you use fat32--ntfs converter?

[ffreeloader]

I can tell you from my experience during my noob days that changing a system drive from FAT to NTFS, in place and outside of a reinstall of the OS, is NOT a reliable thing to do. It can be a sure way to require a reformat and rebuild as afterwards your system can be one very buggy mess.

As C: drive is the only drive partition on most Windows computers it made moving from FAT to NTFS without reinstalling your OS a risky proposition that MS did NOT recommend. Unfortunately, they just left the checkmark out there without the warning about doing this to a system drive. If you didn't read the MS literature associated with that option you wouldn't know that MS said NOT to do this to a system drive.

Re:Did you use fat32--ntfs converter?

[ConceptJunkie]

That must have been before NT 4.0 because I never had a problem doing that very thing. But wait. Did NTFS even exist before NT 4.0? Ah. Wikipedia says it was introduced with NT 3.1, which I never used, and I only used NT 3.5x briefly.

In any event that problem was solved a long time ago.

Re:Did you use fat32--ntfs converter?

[ffreeloader]

That must have been before NT 4.0 because I never had a problem doing that very thing. But wait. Did NTFS even exist before NT 4.0? Ah. Wikipedia says it was introduced with NT 3.1, which I never used, and I only used NT 3.5x briefly.

In any event that problem was solved a long time ago.

Nope. The problem, when I ran across it, was in Win2K. Having used no version of Windows later than that I can't say if the "system partition" problem during conversion was ever fixed. Since all new Windows OSes use NTFS by default it's a moot issue with them.

Re:Yes, AutoHotkey. Change any key to anything els

[ae1294]

Can I change another key to be the any key? I can never find that darn thing.

You can't find it because it's sold separately. How the heck have you been using your computer all this time without one?

Disabling help svc is an early part of install

[SlappyBastard]

Especially with XP, the last version of Windows that allows you to nuke absolutely every service, disabling help is one of the first things I do.

Re:Disabling help svc is an early part of install

[Slashcrap]

Especially with XP, the last version of Windows that allows you to nuke absolutely every service, disabling help is one of the first things I do.

If it allows you to nuke every service, please do so to RPC, DCOM & LSASS. Come back and let us know how it went.

Re:Disabling help svc is an early part of install

[springbox]

It certainly does let you stop whatever you want! The computer stops working, though.

Re:Disabling help svc is an early part of install

[SlappyBastard]

Oh, you know what I meant. A solid 90% of services on XP can be disabled, which is a far cry from Windows 7, where you have to keep a very clear list of what you turned off to make sure you don't trip over the dependencies.

I know this is Slashdot, so perhaps I should just apologize for using hyperbole.

The new face of Godwin

[Torodung]

Wouldn't it have just been better to say, "Oh my, bad car analogy" and call it a day?

--
Toro

This is simply horrifying

[markus+o'farkus]

Whenever I had to admin a windows network, this is the one goddamn key I wish my users would have hit before picking up the phone.

And now they won't because they don't want to get virus?

I mean, I don't really care any more since I support Linux, but, shit man, I feel bad. That's just not right.

Advisory is not quite right

[yellowstone]

Here, let me fix it:

[T]he vulnerability relates to [...] using Internet Explorer

You're welcome.

Best way to stay trouble free on Windows? Don't use IE. Or Outlook. Or IIS.

Re:Advisory is not quite right

[Inda]

Gee thanks mister!

How to I make help files open in Firefox by only pressing the F1 key?

Re:Advisory is not quite right

[AlgorithMan]

or windows... (yes, that logically means not using your computer, but that is what I wanted to express...)

Re:Advisory is not quite right

[Phat_Tony]

Best way to stay trouble free on Windows? Don't use IE. Or Outlook. Or IIS.

No no, the "forbidden key" approach is correct, they just haven't gone far enough with it yet. If you just exclude using all the keys, and the mouse, you won't have any trouble with Windows.

What about on my Xbox?

[Rouverius]

Man, And I was just about to play F1... Good save. ;)

I'm sure this happens every day

[ClosedSource]

"The security advisory says that the vulnerability relates to the way VBScript interacts with Windows Help files when using Internet Explorer, and could be triggered by a user pressing the F1 key after visiting a malicious Web site using a specially crafted dialog box." ... except on Tuesdays.

Raise your hand

[Allnighterking]

If you are running XP and pressed the key just to see what would happen. Raise both hands if you are running 7 OSX and/or Linux and are pressing the key like mad just to rub it in to those who can't.

Re:Yes, AutoHotkey. Change any key to anything els

[Allnighterking]

Go here. Comes complete with a Panic Button too. http://abernook.com/prod/Panic-Button-Gift-Set.asp?source=froogle

Does the F1 Key

[hduff]

help tax Scott Charney?

Re:Yes, AutoHotkey. Change any key to anything els

[ae1294]

But I run windows??? I never need to press a key to get a kernel panic...

Windows XP

[LinuxAndLube]

What's Windows XP?

i work pirates

[g4b]

> Just to finish up, consider what happened on OSX with pirated copies of iWorks.

well, if you go deeper into matter, it seems, it was a trial installer of iWorks, not a pirated full version. Since pirating is used in terms of downloading software you normally have to buy, I would not call it pirated.

There is a similar story about fraud, using an advertisement to download openoffice offering dialers or payed subscriptions for the download. Also that OpenOffice you download there is not really pirated, now is it? (worst thing: that fraud is even legal).

Of course I could be wrong, but http://blog.notahat.com/posts/28 tells me, its a trial installer.

I dont own an apple, so it could be that the trial installer is also the full version you have to enter a code into, and the "pirated" copy had a registration key or crack in bundle.
But there are millions of sites offering downloads of whatever, like directX. It would be easy thing to extend it with a virus, which is kinda your point.

Was just the word "pirated" that somehow irritated me :)

From the article: They had four weeks to fix it

[janwedekind]

From the article:

By Prodeus' account, he notified Microsoft of the flaw Feb. 1, about four weeks before publishing his findings.

Oh noes, MS changed my world

[g4b]

Pressing F1 accidently

Until Feb 2010: "Nooo! Not the f.. Indexing! I wanted to..." *SLAM* -> primary feeling is anger.

From Feb 2010: "Nooo! Have mercy!" -> primary feeling is fear.

MS just healed one of the two major choleric computer users' psychological triggers, now they only have to replace the Don't send or send Error report popup with a virus, too.

Being transformed by fear to my new tyrant, I SHALL GUARD MY F1 BUTTON WITH MY MOUSE+1! YOU SHALL NOT PRESS!

Better to just not press any keys in Windows XP

[gig]

If you are still using XP at this point, who cares? Go for it. Press F1 while running FlashPlayer and Acrobat and IE6 simultaneously. If you gave a shit or had any data worth protecting you'd already be using a Mac or other Unix.

I like this department name better:

[Two99Point80]

"Don't Touch Me There!"

A brilliant idea!

[ElusiveJoe]

Now windows users finally start to RTFM! Great job MS!

Ease-of-use, Microsoft-style

[Schraegstrichpunkt]

Whenever people say that Microsoft products are easy to use, they are conveniently ignoring stuff like this.

And geeks wonder why normal people are intimidated by computers...

I have to use the F1 key

[cvtan]

The F1 key selects the flashbomb in Thief Deadly Shadows which is necessary in any computing environment!

F1 key is the least of our worries

[zmaragdus]

The F1 key threat isn't that bad. It's the power button that creates a real vulnerability.

No, the problem is with IE

[WD]

The problem is the handling of VBScript in IE. No other browser supports VBScript.

Offer Remote Assistance

[jimbob666]

Well that's my method for 'offering remote assistance' screwed then ;-)

Re:Yes, AutoHotkey. Change any key to anything els

[AlgorithMan]

just a second.... *hack*hack*haaaaaaack*... there, I changed it to the space bar for you...

So now "Press any key EXCEPT F1 to continue"?

[noidentity]

I guess now I'm going to be getting support calls from people unable to find the "any key except F1" key.

Re:Yes, AutoHotkey. Change any key to anything els

[ae1294]

But I run windows??? I never need to press a key to get a kernel panic...

Troll Really? Fuck you Microsoft fanboys... go press your F1 key a couple times...

Well, that's helpful...

[dpastern]

I couldn't help myself *grins*

Dave