Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Says, Don't Press the F1 Key In XP

Posted by kdawson on from the any-key-but-that-one dept.

Ian Lamont writes "Microsoft has issued a security advisory warning users not to press the F1 key in Windows XP, owing to an unpatched bug in VBScript discovered by Polish researcher Maurycy Prodeus. The security advisory says that the vulnerability relates to the way VBScript interacts with Windows Help files when using Internet Explorer, and could be triggered by a user pressing the F1 key after visiting a malicious Web site using a specially crafted dialog box."

74 of 324 comments (clear)

  1. Well, at least the important keys still work. by dmgxmichael · · Score: 5, Funny

    As long as CTRL-ALT-DELETE still works we're golden.

    1. Re:Well, at least the important keys still work. by gerf · · Score: 2, Insightful

      More importantly, is there a way to disable F1 in Windows? I can't tell you how many times I've accidentally hit it when trying to hit Esc.

    2. Re:Well, at least the important keys still work. by c++0xFF · · Score: 5, Insightful

      Just now, for the first time in my life, I pressed F1 in Windows on purpose.

      Lots of interesting information is in there, and I even learned a few things (I didn't know XP had a private character editor). But I don't know anybody who uses the windows help system on purpose.

      Google already provides good help for Windows.

    3. Re:Well, at least the important keys still work. by Monkeedude1212 · · Score: 2, Insightful

      The actually funny part about this is that most users find that they hit F1 triggering help files on accident - Windows help has long such been little to no help at all, offering nothing you didn't already know. Most of the time you are meaning to press F2 to rename something.

    4. Re:Well, at least the important keys still work. by Anonymous Coward · · Score: 4, Informative

      http://www.randyrants.com/sharpkeys/

      This will remap any(?) keys in windows at a registry level.. including media keys and the f > 12 keys.

    5. Re:Well, at least the important keys still work. by CannonballHead · · Score: 2, Informative

      I thought you were doing the typical "fixing Windows is easy, just install Linux!" joke... which appeared to fail based on the first hit, since it was how to install Windows ;)

      As for FAT vs. NTFS, how many people know the difference between disc and drum brakes? I don't know if knowing about filesystems is a requirement for using a computer - or that it even should be. If you want people to switch to Linux (hey, I think it's a good idea too, most of the time :) ), requiring them to read about filesystems is going to be a problem. They don't care... and don't WANT to know, it is a waste of their time.

      Which is why "defaults" are important. Even when I install Linux I'm ok with either reiserfs or ext3 (or ext4). The average user doesn't care if it's a journaled filesystem or not. The average user doesn't care about how the hard drive is partitioned. The average user probably has no idea what "partitioning" means. And why should they care anyways? I don't know half of what my mechanic talks to me about either... I'm glad he knows, but at the end of the day I just want my car to keep working and be a good car...

      The problem with Windows users is not that they don't know about NTFS, FAT, partitioning, disk drives, SATA vs. PATA, or what-have-you. The problem with Windows users would be more along the lines of not being able to tell - or not caring to? - what a phishing attack is... thinking downloading and installing programs from who knows where is a good idea... thinking backups are for "important" people and they don't need to back things up - or if they do it's really just software that causes problems, not hardware [ha. I just had a 2 year old SATA drive die on me])...

      If we are going to educate users, I can think of many other things I'd rather tell them, hehe. Incidentally, I usually start with explaining how exactly folders and files work. Most people could not explain how to find their "desktop" folder certainly could not explain how the folder/file hierarchy works. Once people understand that, it makes them soooo much more independent and not asking "I downloaded a picture but I can't find it, where did it go?" every other day :)

    6. Re:Well, at least the important keys still work. by shermo · · Score: 5, Informative

      autohotkey.com

      Open source programme that allows you do do anything with your keys. Careful though, once you start you won't stop.

      --
      Insanity: voting in the same two parties over and over again and expecting different results
    7. Re:Well, at least the important keys still work. by dissy · · Score: 4, Informative

      More importantly, is there a way to disable F1 in Windows? I can't tell you how many times I've accidentally hit it when trying to hit Esc.

      Regedit: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\HELPCTR.EXE

      For the default key at the top usually named (Default)
      Either delete the path to helpctr.exe so the value is blank (Value not set), or download the dummy.exe from the actual directions below and point it to that.

      http://www.hydrous.net/weblog/2007/06/23/disable-f1-in-windows-exporer

    8. Re:Well, at least the important keys still work. by Froboz23 · · Score: 5, Funny

      Tech Support: See this button? Don't touch it! It's the history eraser button, you fool!

      User: So what'll happen?

      Tech Support: That's just it. We don't know. Maybe something bad. Maybe something good. I guess we'll never know, 'cause you're going to guard it. You won't touch it, will you?

      --
      Take off every Sig. For great justice.
    9. Re:Well, at least the important keys still work. by ffreeloader · · Score: 2, Interesting

      First you say it really doesn't matter if Windows users know anything about how their system is set up and how things work, but then go on to explain how their ignorance about how things work is their greatest weakness. You pretty much defeat defeat your own argument without realizing it.

      --
      "while democracy seeks equality in liberty, socialism seeks equality in restraint and servitude." de Tocqueville
    10. Re:Well, at least the important keys still work. by ls+-la · · Score: 2, Insightful

      More importantly, is there a way to disable F1 in Windows? I can't tell you how many times I've accidentally hit it when trying to hit Esc.

      A screwdriver will work. It's even cross-platform.

    11. Re:Well, at least the important keys still work. by zapakh · · Score: 3, Insightful

      You pretty much defeat defeat your own argument without realizing it.

      GP is comparing two broad classes of knowing how things works, and asserting that ignorance of one of them is a problem. This is not contradiction, it is drawing a distinction.

      I don't need to know how my fuel injection system works, but I had better know what to do at a stop sign.

    12. Re:Well, at least the important keys still work. by Anonymous Coward · · Score: 5, Funny

      Best to change it to:

      Shutdown -s -f -t 00

      Will make windows much more efficient :)

    13. Re:Well, at least the important keys still work. by ravenshrike · · Score: 3, Funny

      Or you could use FF/Opera/Chrome. Really the title should be, Don't use IE in XP.

    14. Re:Well, at least the important keys still work. by ffreeloader · · Score: 2, Insightful

      I don't think that pointing people to community resources is a bad thing. In the vast majority of cases, unless it's a very, very, odd forum/community if bad advice is given that advice will be promptly nullified.

      I haven't used Windows in years so I'm very used to community support. I find it better than formal support because there is usually at least a couple of people on every help forum who have a real knack for explaining things to non-technical people. Also, getting more than one point of view, and more than one way of presenting information usually results in a better understanding of the problem for the noob/not_knowledgeable_user unless they have zero technical ability and then it doesn't really matter where you send them they aren't going to learn anything.

      --
      "while democracy seeks equality in liberty, socialism seeks equality in restraint and servitude." de Tocqueville
    15. Re:Well, at least the important keys still work. by RadioElectric · · Score: 5, Funny

      BEST DECISION I EVER MADE.

    16. Re:Well, at least the important keys still work. by kimvette · · Score: 2, Interesting

      having drum brakes won't make it easier for people to steal your car, or cause it to suddenly stop working while you're driving

      I take it you have never had a "classic" car with drum brakes all around. I assure you that drum brakes can suddenly stop working; they are far more susceptible to fade than disc brakes with vented rotors, and if you don't know to ride the brakes a bit after driving through puddles if you have drum brakes (to boil off the nice layer of water that ends up being a great lubricant on the shoes) you can end up with NO braking "power." There is good reason a lot of owners of antique R^HMustangs upgrade to front disc brakes even for non-performance builds.

      --
      The Christian Right is Neither (Christian nor right). See: Matthew 23, Matthew 25, Ezekiel 16:48-50
    17. Re:Well, at least the important keys still work. by yakumo.unr · · Score: 3, Informative

      Presumably autohotkey has to stay running in the background?

      If you just remap your keys nothing extra has to stay loaded :

      http://vlaurie.com/computers2/Articles/remap-keyboard.htm

      or Remapkey.exe from the MS server 2008 resource kit : http://www.microsoft.com/downloads/details.aspx?FamilyID=9D467A69-57FF-4AE7-96EE-B18C4790CFFD&displaylang=en

    18. Re:Well, at least the important keys still work. by Niten · · Score: 5, Funny

      More importantly, is there a way to disable F1 in Windows?

      Possibly. Press F1 and look it up in Windows Help.

    19. Re:Well, at least the important keys still work. by ZosX · · Score: 2, Funny

      woosh

      --
      zosxavius photography
    20. Re:Well, at least the important keys still work. by Abstrackt · · Score: 4, Funny

      BEST DECISION I EVER MADE.

      Everyone knows caps lock is cruise control for cool.

      --
      They say a little knowledge is a dangerous thing, but it's not one half so bad as a lot of ignorance. - Terry Pratchett
    21. Re:Well, at least the important keys still work. by SEWilco · · Score: 3, Funny

      Oh, good, I need to remap the Any key because I never can find it.

    22. Re:Well, at least the important keys still work. by Ihmhi · · Score: 4, Funny

      Welp, a long time ago I disabled the very annoying Insert Key on my computer with a simple hardware fix.

      1) Get a flathead screwdriver.

      2) Place screwdriver underneath problem key.

      3) Place left hand approximately 1 foot (~0.3 meters) above problem key.

      4) Use leverage to pop key out of keyboard.

      5) Your left hand will block the deadly flying plastic. Be careful not to stab yourself with the screwdriver! Better to have to search around for a plastic key than dig a flathead screwdriver out of your hand.

      --
      Random Thoughts From A Diseased Mind (Not For Dummies)
  2. F1rst by Anonymous Coward · · Score: 3, Funny

    F1rst

    1. Re:F1rst by sexconker · · Score: 2, Funny

      Fa1l.

  3. Yet another reason by Dracos · · Score: 2, Insightful

    This is yet another reason why MS' idea of a tax to deal with malware tax is stupid.

    1. Re:Yet another reason by 0WaitState · · Score: 3, Interesting

      How about we tax microsoft for their polluting the internet with their insecure-by-design OS installs? About $50 per install will put a dent in all the economic damage Windows causes.

      Don't press the F1 key? Jesus fucking christ. What next, don't power up the box?

      --

      Remain calm! All is well!
    2. Re:Yet another reason by Anonymous Coward · · Score: 5, Insightful

      This is yet another reason why MS' idea of a tax to deal with malware tax is stupid.

      It's almost amusing that a Web browser is so tightly integrated with the operating system that scripts run by it can influence core system functions without actually rooting the machine. I guess this is what happens when you ignore decades of computer security history and discard the principle of least-privilege. Hopefully Windows 7 (and Vista) is not defective enough to allow a userspace application to screw around with a built-in OS function like help files.

      Look, if we're honest, the only reason why IE is so tightly integrated with the OS in the first place is because Microsoft wanted to abuse its desktop OS monopoly by using it to dominate the browser market. If not for that, IE would be a standalone browser and would be separate from any built-in HTML rendering that's part of the core Windows system, like help files in this case. This is one reason why I use Linux: Microsoft obviously cares about its marketshare more than my security, and I cannot in good conscience use my money to support a company with such backwards priorities. I'm sure someone will chime in with talk about how useful Windows is, and I won't argue (much) with that.

      This is really a moral issue. Anyone with decent principles wouldn't want to reward a company with such questionable business practices, not even if they made the finest software available. I'm sure the rest of you who don't have such principles will have a million excuses for why you continue to support Microsoft with your wallets, and that's fine. Every dishonest organization has its useful idiots without which it could not continue existing.

    3. Re:Yet another reason by Fnord666 · · Score: 2

      Don't press the F1 key? Jesus fucking christ. What next, don't power up the box?

      Actually if you look at security advisory number ....

      --
      'The tyrant will always find pretext for his tyranny.' - Aesop's Fables
    4. Re:Yet another reason by shutdown+-p+now · · Score: 3, Insightful

      You do realize that KDE, for example, also uses the same HTML component - KHTML - for both its standalone browser, and help system (and many other things)? I'd expect OS X to do the same with WebKit. Gnome is different, but mainly because of the mess they made with GtkHTML vs Gecko vs WebKit; the long-term plan, as I understand, is still to migrate to WebKit for everything.

      It's also purely a matter of practicality - I mean, why would you have two distinct HTML renderers?

    5. Re:Yet another reason by Froboz23 · · Score: 4, Funny

      I don't see what the big deal is. Windows is a perfectly secure operating system as long as you don't access any external media or connect to the internet.

      (Coming from someone who just spent 10 hours removing the Internet Security 2010 trojan malware from his wife's computer.)

      --
      Take off every Sig. For great justice.
    6. Re:Yet another reason by RalphSleigh · · Score: 5, Interesting

      The same HTML rendering component I can understand, but in this case it appears a script running in a web browser instance of the component can somehow affect the help rendering instance, and that is a quality WTF.

      --
      Come as you are, do what you must, be who you will.
    7. Re:Yet another reason by shutdown+-p+now · · Score: 4, Insightful

      You do realise that KDE and Gnome are not operating systems? "OS X" is also not an operating system in the typical sense of the word; it has Darwin [wikipedia.org] under the covers, responsible for managing all the hardware and important functions like permissions, ensuring that the core system can't be hosed when an rogue application is somehow allowed to be run as a user.

      Guess what? Windows works in exact same way. There's the kernel there, then a set of userland APIs on top of then, then the UI layer, and finally the actual DE. Just because they are shipped in a single box, and aren't explicitly marked as separate, and given funny-sounding names, doesn't mean they aren't there.

      Do you seriously think that NT kernel somehow uses IE under covers?

      It is comforting to know that if something goes wrong on Linux or OS X (or similar), that the problem is almost always limited to only a single 'user' account

      It depends on your definition of "something goes wrong". A privilege escalation exploit has the same problems on any OS, and without one you can't break the system on modern Windows versions (speaking of which, note how Vista/7 aren't vulnerable in this case), either - user account security is not fundamentally different in NT compared to Unix.

      Oh, and this isn't what is usually understood by a privilege escalation vulnerability - it doesn't give you root or anything. It's rather a sandbox breakage - scripts which should be executing in a browser sandbox "leak out", and run with all privileges of the user interacting with the machine.

  4. F1! by fm6 · · Score: 5, Funny

    F1!
    I need somebody!
    F1!
    Not just anybody!
    F1!
    You know I need someone!
    F1!

  5. Only MSIE users by icebike · · Score: 2, Insightful

    Any XP user still using Internet explorer probably hasn't a clue that F1 does anything at all.

    --
    Sig Battery depleted. Reverting to safe mode.
    1. Re:Only MSIE users by Alien1024 · · Score: 3, Interesting

      This probably affects any help file in html format, which is displayed through the IE rendering engine. Many new applications use html help files.

  6. Or as Buzz Out Loud says... by Rammed+Earth · · Score: 2, Funny

    F1 is now FU! (originally from BOL chatroom)

  7. MS was concerned about how this was exposed? by Meshach · · Score: 5, Insightful
    From TFA:

    Microsoft is concerned that this new report of a vulnerability was not responsibly disclosed, potentially putting computer users at risk. We continue to encourage responsible disclosure of vulnerabilities. We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone's best interests. This practice helps to ensure that customers receive comprehensive, high-quality updates for security vulnerabilities without exposure to malicious attackers while the update is being developed.

    I find the idea that Microsoft is angry at the people who found a problem in Microsoft software not telling Microsoft about it hilarious.

    --
    "Maybe this world is another planet's hell"
    Aldous Huxley
    1. Re:MS was concerned about how this was exposed? by timeOday · · Score: 5, Insightful

      Angry or not angry, the point is that disclosing security bugs directly to the vendor first minimizes harm to end users - assuming, that is, the vendor feels sufficiently motivated to fix the bug. You can't argue that "security researchers" who sell 0-day vulnerabilities on the black market are helping anybody but themselves (not that Prodeus fits this description).

    2. Re:MS was concerned about how this was exposed? by martin-boundary · · Score: 3, Interesting

      Angry or not angry, the point is that disclosing security bugs directly to the vendor first minimizes harm to end users

      It does not. It minimizes potential damage to the brand, so the vendor can decide if it's worth their while to do something.

      You can't argue that "security researchers" who sell 0-day vulnerabilities on the black market are helping anybody but themselves

      Better they sell it on the black market than they use it quietly. Moreover, if there's a market, then it's worth something and "good guys" can bid, too.

    3. Re:MS was concerned about how this was exposed? by causality · · Score: 5, Insightful

      Angry or not angry, the point is that disclosing security bugs directly to the vendor first minimizes harm to end users - assuming, that is, the vendor feels sufficiently motivated to fix the bug. You can't argue that "security researchers" who sell 0-day vulnerabilities on the black market are helping anybody but themselves (not that Prodeus fits this description).

      I frequently hear this type of reasoning. It should be listed as a known/cataloged talking point so we can all absorb it once and move on, instead of seeing it rehashed every time this sort of discussion comes up. Sorry but old and well-worn arguments aren't contributing much. They don't have much power to convince anyone who doesn't already subscribe to that viewpoint.

      What I don't hear so much about is the incentive provided by full public disclosure. If you know that security vulnerabilities will be disclosed to the public, that this will result in security problems for your customers, that it will cause public humiliation for your company, is this not a strong incentive to secure your software in the first place? Confidential disclosure to the vendor only seems like it lets them off the hook a bit too easily. I'd normally be slow to view it that way, but Microsoft has a long history of such problems despite having tremendous resources it could dedicate to proactively eliminating them. They have the expertise, they have the money, they have the ability; what they lack is the will. There's simply no excuse for allowing a browser to influence bulilt-in OS functions. I view this more like negligence on Microsoft's part and less like an unforeseeable event that could have happened to any vendor.

      As far as causing the least harm to the end users, should we be concerned about this in the long run? In the short term this can be quite unpleasant, and I don't enjoy the idea that someone who just wants to get their work done might have problems because of something beyond their immediate control. But it's not entirely beyond their control. Microsoft could not possibly exist were it not for the users who purchase its products.

      When its products malfunction in preventable ways, they make the Internet a worse palce for everyone. I may run a relatively secure *nix machine, but I can still receive spam e-mail delivered by compromised Windows machines. So can everyone else. Since the situation could not possibly exist if not for Microsoft's users, is it really an injustice that they catch some flak when the entity they keep financially supporting fails to do its job? If they dislike this, should they not be a bit more careful about how they vote with their wallets and for whom they vote? I know the victim mentality is popular these days, but if you either know or could have known what you're dealing with, and continue to behave as though you do not and cannot know, should you cry fowl when there are negative consequences?

      Microsoft has a long history of problems like this. Anyone who deals with them and doesn't know that has simply failed to do their homework. The real "accomplishment" of Microsoft is that they, through their widespread presence, have convinced the general public that exploits, malware, and other security problems are a normal part of operating a computer. I'm not claiming that Microsoft's products are without merit; if they were, even the non-technical masses would not use them. I am merely skeptical of any notion that their positive contributions to this industry have outweighed their business practices and their negative contributions to this industry.

      --
      It is a miracle that curiosity survives formal education. - Einstein
    4. Re:MS was concerned about how this was exposed? by causality · · Score: 4, Insightful

      Sheesh, blah blah blah. What your parent said isn't a talking point. His point was much better than yours in less words. All a researcher has to do is notify MS. Give them a reasonable amount of time that you clearly specify(say a month) and then publicly disclose it. Your disdain of MS shouldn't erode your common sense.

      You have failed to address the issue I raised.

      If its users were more discriminating and more willing to expect quality, I would have no reason to disdain MS. You act like any disdain on my part is an opinion or a matter of taste, and not like MS has soundly earned it.

      Microsoft is a business. That means they will tend to do whatever makes them the most profit. If selling garbage makes profit for them, then they will sell garbage. If no one is willing to buy garbage, then they will be forced to sell quality. Therefore, Microsoft does whatever its paying customers are willing to put up with.

      The point I raise, to restate it for you, is that this multibillion-dollar company with many highly skilled employees has both the expertise and the resources to design their systems in such a way that they do not suffer such vulnerabilities. They don't do this because they can profit without doing this; therefore, why would they go to the trouble when more effort means more expense? They can profit without doing this because their paying customers will tolerate insecure products. They think malware and other system compromises are an inherent aspect of owning a computer. If people who hold this false belief and use their money to support a vendor which caters to this false belief suffer because of this false belief, why should that trouble the rest of us? Are they not reaping what they sow?

      Those of you who believe in confidential, discreet disclosure are implying that the effects on the customers should trouble the rest of us. I'm willing to entertain the idea, but to do that I need someone to tell me why Microsoft's customers are not merely reaping what they have sown. You have not addressed this. If you would like to, I'm all ears, but attempting to tell me that Microsoft's security history is irrelevant, that it's unfair to consider its business practices and priorities, or that I should ignore the fact that they have both the knowledge and the resources to deliver more secure products will never work with me. Please save that and your "blah blah blah" handwaving for the pushovers who are impressed by your assertions. As for me, I deal in facts.

      Again, if you would like to actually address any of the issues I have raised, I'm all ears. The fact that you dislike my opinions has been noted, but does not constitute a worthy response.

      --
      It is a miracle that curiosity survives formal education. - Einstein
    5. Re:MS was concerned about how this was exposed? by roystgnr · · Score: 2, Funny

      should you cry fowl when there are negative consequences?

      Certainly not. That would be ducking responsibility.

    6. Re:MS was concerned about how this was exposed? by GNUALMAFUERTE · · Score: 3, Insightful

      Bullshit. When you find a security issue in a piece of Free Software, you feel compelled to fix it. You can fix it and submit the patch (and get the credit for it) without leaving your desktop. Everything is there. do a svn checkout, fix, commit. That's all. People will thank you, and you'll feel great.

      When you find a security issue on a microsoft product, you have to:

      Find a way to report the bug. You know, it's not simple ... contacting someone in there is impossible. you can send an email and blindly wait for it to be fixed. But behold, if they do take your bug report, they are probably not going to fix it. Wait six months sitting on the bug report. When it becomes public, they'll first sue you for attacking their OS, and most likely win. If you publish the bug on your blog, you'll get threats and DMCA takedown notices. Then, 3 months layer, they'll quietly patch it, with a 200mb security update, that will break 10 other applications, cause every machine to blue screen, and probably introduce 10 new vulnerabilities. 2 Week later, they'll start telling people to NOT install that latest service pack. A year later, the patch will go away due to some other update that fixes it, or some other external agent (like an antivirus software) "fixing" the issue. 5 years later, a brand new version of windows will come out, and the bug will resurface.

      And, whatever happens, you won't get any recognition, and windows will still be totally insecure. Microsoft will still make billions out of it.

      So, why help? For all I know, the best strategy to a more secure Internet is to let microsoft die ....

      --
      WTF am I doing replying to an AC at 5 A.M on a Friday night?
    7. Re:MS was concerned about how this was exposed? by causality · · Score: 3, Insightful

      Computers are insecure. Networked computers are even more insecure. Windows is the low hanging fruit. I know it sounds tired, but if Linux had the same market share as Windows, you'd see the same kind of cat and mouse game going on between security researchers and malware programmers. If you put Ubuntu 9.10 on 80% of computers connected to the internet, and loaded it up with the 10 or so typical apps that people use (word processors, web browsers, Flash, etc), within six months you'd see vulnerabilities popping up left and right.

      It does sound "tired" and I appreciate that you are up-front enough to concede this, but in the same spirit I can admit that it's not unreasonable to wonder it. Still, I have a simple issue with this argument. While it has nowhere near the marketshare of Windows, there are still millions of Linux computers connected to the Internet. Compared to Windows, a disproportionately large number of Linux machines are beefy servers with large amounts of bandwidth. If they were as easy to take over as a home user's Windows machine, they would be more attractive targets. Yet there are no successful viruses or other self-replicating malware programs for Linux in the wild. There are proof-of-concept viruses, but they do not propagate on the Internet.

      At the end of the day, it's all software running on an x86 processor. All it takes is one lazy coder, one tired QA guy, or one bad library and you have a zero day exploit. Computers need to execute code. You can only run so many checks on any given input. You can only limit the functionality of a module so much before it becomes useless. You can only bug users with "Are you sure you want to run this?" prompts so many times.

      My disagreement here is that you don't need to prompt the user or enable any highly exotic verification to prevent the exploit that is the subject of this article. All you need is some decent sandboxing. Yet one of the most powerful, resourceful, and well-staffed software companies in the world failed to implement it for this version of Windows. Something there does not add up.

      If you want an idea of a secure operating, turn your web browser security settings to Prompt/Ask. JavaScript, HTML, XML, EVERYTHING set to prompt. Spend a week browsing the web in that configuration. Let me know how you like it.

      In my opinion, you are engaging in quite a bit of hyperbole there. On my Linux system, the "help" function (in my case, a part of KDE) is implemented by binary executables that are owned by the root user while readable and executable (but not writable) by the user who is running them. Firefox, which runs in a similar fashion and also has the privileges of my normal non-root user, cannot affect the KDE online help even if it wanted to. This is an example (and not the best one) of the principle of least privilege. Firefox doesn't need to have the power to modify other parts of the system, so it has no such power. Simple.

      There's no need for me to enable any extra confirmation dialogs, or anything else in order to achieve this. I simply enjoy it as part of the fundamental design of this operating system. I have a very hard time believing that one of the most well-funded, well-staffed software companies the world has ever seen was not capable of either matching or surpassing this level of robustness. This was already a standard feature of Linux before XP was released. That isn't the sort of "innovation" they keep talking about. It's more like a bad job of playing catch-up now that more recent Windows versions have improved in this area.

      Windows is not merely the low-hanging fruit. It's more like the pre-chewed fruit that is already partially digested. Perfect security is of course not possible. But if you want to eliminate all the large botnets and spam networks, that's easy: make Windows security strong enough that automated attacks will not compromise it. Make it

      --
      It is a miracle that curiosity survives formal education. - Einstein
    8. Re:MS was concerned about how this was exposed? by dweller_below · · Score: 3, Interesting

      Angry or not angry, the point is that disclosing security bugs directly to the vendor first minimizes harm to end users - assuming, that is, the vendor feels sufficiently motivated to fix the bug.

      IN A TIMELY MANNER.

      You forgot the bit that's at the core of the disclosure debate. Virtually everybody in the security industry agrees on the principles of disclosure. All the flames are over the timing.

      In one corner, we have Microsoft. They appear to believe in full disclosure, once the disclosure will have no adverse effects on stock price or profitability.

      In another corner, we have a tiny handful of scum sucking, mercenary security researchers who believe that disclosure will happen just as soon as they get paid. And the terms of that disclosure will be whatever the purchaser wants.

      In the other corners, and carpeting the entire floor, are all the rest of the security community. They believe that full disclosure must happen in a time-frame that minimizes damage to the user community. They just can't agree on when that might be.

      This lack of a concensus has made it easy for Microsoft to define the current terms of disclosure. The result has been suppression of disclosure for longer and longer periods. The inevitable consequence is more and more '0' day exploits.

      In September 2009, SANS released an excellent State-of-the-Internet on the top cyber security threats: http://www.sans.org/top-cyber-security-risks/ One of their points was:

      "World-wide there has been a significant increase over the past three years in the number of people discovering zero-day vulnerabilities, as measured by multiple independent teams discovering the same vulnerabilities at different times. Some vulnerabilities have remained unpatched for as long as two years."

      To demonstrate this issue they enumerated the history of MS08-031:

      For example, MS08-031 (Microsoft Internet Explorer DOM Object Heap Overflow Vulnerability) was discovered independently by three researchers. The first researcher submitted remote IE 6/7 critical vulnerability on Oct 22, 2007. A second independent researcher submitted the same vulnerability on April 23, 2008. A third independent researcher submitted the same vulnerability on May 19, 2008. All three submissions outlined different approaches of auditing and finding the same vulnerability.

      What goes unstated is while 3 'responsible' researchers disclosed to Microsoft and waited and waited, unknown numbers of hackers also discovered the vulnerabilities and exploited them.

      Just this week, a dozen well managed, fully patched, WinXP (with .NET installed) computers at my institution were compromised by clicking on a major news site (http://www.ksl.com/index.php?nid=148&sid=9814436).

      Microsoft would have us believe that this is acceptable. But really, would immediate, full disclosure be any worse?

      Miles

    9. Re:MS was concerned about how this was exposed? by dave562 · · Score: 3, Informative

      It does sound "tired" and I appreciate that you are up-front enough to concede this, but in the same spirit I can admit that it's not unreasonable to wonder it. Still, I have a simple issue with this argument. While it has nowhere near the marketshare of Windows, there are still millions of Linux computers connected to the Internet. Compared to Windows, a disproportionately large number of Linux machines are beefy servers with large amounts of bandwidth. If they were as easy to take over as a home user's Windows machine, they would be more attractive targets. Yet there are no successful viruses or other self-replicating malware programs for Linux in the wild. There are proof-of-concept viruses, but they do not propagate on the Internet.

      It comes down to target market. The people running Linux servers are qualified administrators. Linux servers are generally role specific. They probably only have a few apps running on them. Unless a network is being run by someone without a clue, Windows servers aren't getting taken apart by driveby downloads. The exploits are happening in one of two cases. Either internal users are leave the secured network and hitting compromised sites, or social engineering-esque exploits are coming in through the mail system, IM, etc.

      You brought up Linux servers and then jumped sidways to talk about home Windows boxes. What are we talking about here, apples or oranges? Servers or workstations? What percentage of the Linux boxes are all running a uniform kernel and distro? Where are the consistent apps on every platform? Think like a malware writer for a second. Think like someone trying to find where in RAM an offset is going to be living. Think of an infection vector. What are you aiming for on Linux? KDE? Gnome? X? What revision? Be a serious for a second. If you know enough to write exploit code, what pool are you aiming for? Where you are going to focus the limited time that you have?

      Think about the real world. Movie-esque financial heists where you clear millions of dollars out of a compromised system don't happen (unless you work for Wall Street, and then it's legal). Real world fraud is done with compromised credit cards and bank accounts. That data is swapped across the web and kept in Quickbooks. It is locked up in bank websites that have easy to intercept (on a compromised system) authentication mechanisms. If you were going for money, where would you go? Windows, or Linux? Fraud is a numbers game. System cracking is mostly automated. You find an exploit, write a bot and start scanning for the vulnerability. Out of any given Class B block, what percentage of IPs are Windows boxes? What if you're targeting Charter, Time Warner or Cox?

      It all comes down to the users, and the numbers of them. It takes time to write an exploit. If you were to roll out 450,000,000 Ubuntu 9.10 workstations with the same web browser and mail client and give them to the general public, you'd have exploits. You'd have exploits if the general public were storing data that thieves cared about. You'd have "Linux Antivirus 2010" the first time someone figures out how to trick a user into downloading a script that resizes their desktop, or randomly changes a .conf file. From there how long until a user "clicks here" on the identical to Canoncial's system message themed dialogue to fix it? How long do you really think it would be before someone finds where Thunderbird or whatever client you want to load with Ubuntu stores its address book? Does Ubuntu desktop even have ufw on by default? I know I had to enable it myself when I loaded 8.04 LTS server. What would stop someone from kicking off an smtpd process, or loading some code to piggy back on Thunderbird?

      Arguing Linux versus Windows in the hands of John Q Public is sort of like trying to prove or disprove God at this point. We don't have a large enough sample size to make definitive statements on. IMO, human nature doesn't go away because people use different OSes. The

  8. Windows Help F1 by edsousa · · Score: 5, Informative

    This won't affect anybody: those users that aren't very computer literate don't even know that help exists and is one key away... the other ones already know that windows help won't lead you anywhere!

    1. Re:Windows Help F1 by blackraven14250 · · Score: 2, Funny

      Ever heard of people who know just enough to be dangerous?

  9. Wishful thinking by Anonymous Coward · · Score: 5, Insightful

    "Microsoft is concerned that this new report of a vulnerability was not responsibly disclosed, potentially putting computer users at risk. We continue to encourage responsible disclosure of vulnerabilities. We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone's best interests. This practice helps to ensure that customers receive comprehensive, high-quality updates for security vulnerabilities without exposure to malicious attackers while the update is being developed."

    Call me a cynic, but I've got to be honest: The net effect may be positive, but I don't believe that Microsoft's idea of 'responsible disclosure' results in high priority investigation and timely patching of MS products.

  10. F1 key? by shivamib · · Score: 3, Insightful

    I tried it and got a Firefox friendly help tab. F1 is the second most annoying key.

    What you really don't want to press is that cursed, evil POWER key. You know, when you're trying to find the Page Up ke

  11. Not such a bad advice by Alien1024 · · Score: 3, Funny

    Given the quality of the F1-contents these days, especially in MS apps, that's not such a bad advice - google instead.

    1. Re:Not such a bad advice by Opportunist · · Score: 4, Insightful

      I have yet to stumble upon a helpful help page in Visual Studio 08. Usually a search with Google ends up faster on a relevant MSDN page than pressing F1 in VS.

      Interesting enough, it is also more relevant than a search inside the MSDN or using Bing. You usually do NOT find the same MSDN content as quickly within MSDN or with Bing, but instead get offered pages that try to cram some MS-interface down your throat. Maybe nice if you're programming with that interface, but utterly useless if you're using C++ instead of whatever web-aware magical brewitup crap MS tries to push currently.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  12. Does it affect Firefox on XP? by BitterOak · · Score: 2, Interesting

    The security advisory says the problem has to do with the way Internet Explorer interacts with the help system. Does anyone know if Firefox users are vulnerable?

    --
    If I can be modded down for being a troll, can I be modded up for being an orc, or a balrog?
  13. I thought it said 'don't press the 'F' key'... by TeethWhitener · · Score: 5, Funny

    This is ucking ridiculous. I'm a ullerene chemist, or uck's sake!

    1. Re:I thought it said 'don't press the 'F' key'... by courseofhumanevents · · Score: 4, Funny

      +1, unny

  14. To read the rest of this article... by edelbrp · · Score: 5, Funny

    press F1 to continue.

    1. Re:To read the rest of this article... by deniable · · Score: 2, Interesting

      Even funnier if that's a BIOS message. No, don't press F1 if you're in Windows, yes if it's starting up, no not in IE. Help-desks of the world, I feel your pain.

  15. Opens new doors... by mgichoga · · Score: 3, Funny

    We're sunk! What happens someone finally figures out the space bar hack?

  16. I cannot think of a better way to spread this by NicknamesAreStupid · · Score: 2, Insightful

    than to tell people not to do it. Call it fatalism.

  17. Having seen the average MS help file... by Chris+Mattern · · Score: 2, Insightful

    ...you're not losing all that much.

  18. Damn! by Korbeau · · Score: 2, Interesting

    I'll have to stop missing the ESC and ~ key!

    Most annoying thing: press F1 in a software like Visual Studio and have to wait 5 minutes for it to refresh online help.

  19. Re:Yes, AutoHotkey. Change any key to anything els by zapakh · · Score: 5, Funny

    Can I change another key to be the any key? I can never find that darn thing.

  20. AutoHotkey: Editor with syntax highlighting. by Futurepower(R) · · Score: 3, Informative

    AutoHotkey has its own free editor with syntax highlighting.

    I just checked. My AutoHotkey script is 1,639 lines, 52,140 bytes. That doesn't include the special scripts.

    The source code is available, as is a GUI creator.

    The AutoHotkey programming language is quirky.

    AutoIt has a more standard language. AutoIt is better for complex automated installation scripts, for example. AutoHotkey is better for hotkeys. Both offer compilation of their scripts to .EXE files.

  21. Re:This is ridiculous by maxume · · Score: 2

    No, if you are using Firefox, the VBScript that triggers the exploit will not be run.

    (I guess the exploit is still there, but I'm not sure how it is going to do anything, as the trigger requires malicious code to be loaded into IE, and then the user needs to press F1 while the code is doing its thing)

    --
    Nerd rage is the funniest rage.
  22. Microsoft Interview by dawilcox · · Score: 4, Interesting
    I interviewed with Microsoft for a development position a few weeks ago. I found that the interviewers were very arrogant. They assumed they knew all the details about my past projects. It felt like politics with them would be horrendous because everyone is showing each other up.

    Needless to say, I turned down the job offer. It doesn't surprise me how they keep making flub ups like this when the people at their company are so arrogant.

  23. don't worry! by swigabyte · · Score: 4, Funny

    I never hit F1. I've found windows help to be absolutely useless.

  24. Oops! by nastro · · Score: 2, Interesting

    I hit F1 by accident at least once a day trying for the Esc key.

  25. Did you use fat32--ntfs converter? by Ilgaz · · Score: 2, Insightful

    The stock command coming with XP can convert FAT32 to NTFS in matter of minutes. I guess it would take seconds if it didn't do a chkdsk internally. Now, instead of all that trivial junk being told to user while installing Windows XP, MS could say "We introduce a new filesystem with Windows XP, it is faster, more reliable and has more features. It also makes checking disk needless." with "Convert my startup drive to NTFS" checkmark selected.

    That time, users would move to NTFS and no, they would still have no clue about the filesystem they run. So, for 8 years, everyone could be running some kind of modern filesystem rather than something designed for DISKETTES.

    Apple did it when they were absolutely sure journaling doesn't create problems for 99.999% of users, with couple of clever UI tricks, they made sure everyone enabled journaling. They still do the similar tricks to prevent users easily disable journaling (mostly because of FUD on www). I wasn't around on Mac scene when HFS got upgraded to HFS+ but I am sure they did similar tricks to make users move and get rid of archaic filesystems.

  26. Disabling help svc is an early part of install by SlappyBastard · · Score: 3, Informative

    Especially with XP, the last version of Windows that allows you to nuke absolutely every service, disabling help is one of the first things I do.

    --
    I scream. You scream. I assume that means we're both acquainted with the problem. We proceed.
  27. This is simply horrifying by markus+o'farkus · · Score: 2, Interesting

    Whenever I had to admin a windows network, this is the one goddamn key I wish my users would have hit before picking up the phone.

    And now they won't because they don't want to get virus?

    I mean, I don't really care any more since I support Linux, but, shit man, I feel bad. That's just not right.

  28. Advisory is not quite right by yellowstone · · Score: 3, Insightful
    Here, let me fix it:

    [T]he vulnerability relates to [...] using Internet Explorer

    You're welcome.

    Best way to stay trouble free on Windows? Don't use IE. Or Outlook. Or IIS.

    --
    150 Opening BINARY mode data connection for slashdot.sig (129323052 bytes).
  29. What about on my Xbox? by Rouverius · · Score: 2, Funny

    Man, And I was just about to play F1... Good save. ;)

  30. Better to just not press any keys in Windows XP by gig · · Score: 3, Interesting

    If you are still using XP at this point, who cares? Go for it. Press F1 while running FlashPlayer and Acrobat and IE6 simultaneously. If you gave a shit or had any data worth protecting you'd already be using a Mac or other Unix.