Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Says, Don't Press the F1 Key In XP

Posted by kdawson on from the any-key-but-that-one dept.

Ian Lamont writes "Microsoft has issued a security advisory warning users not to press the F1 key in Windows XP, owing to an unpatched bug in VBScript discovered by Polish researcher Maurycy Prodeus. The security advisory says that the vulnerability relates to the way VBScript interacts with Windows Help files when using Internet Explorer, and could be triggered by a user pressing the F1 key after visiting a malicious Web site using a specially crafted dialog box."

29 of 324 comments (clear)

  1. Well, at least the important keys still work. by dmgxmichael · · Score: 5, Funny

    As long as CTRL-ALT-DELETE still works we're golden.

    1. Re:Well, at least the important keys still work. by c++0xFF · · Score: 5, Insightful

      Just now, for the first time in my life, I pressed F1 in Windows on purpose.

      Lots of interesting information is in there, and I even learned a few things (I didn't know XP had a private character editor). But I don't know anybody who uses the windows help system on purpose.

      Google already provides good help for Windows.

    2. Re:Well, at least the important keys still work. by Anonymous Coward · · Score: 4, Informative

      http://www.randyrants.com/sharpkeys/

      This will remap any(?) keys in windows at a registry level.. including media keys and the f > 12 keys.

    3. Re:Well, at least the important keys still work. by shermo · · Score: 5, Informative

      autohotkey.com

      Open source programme that allows you do do anything with your keys. Careful though, once you start you won't stop.

      --
      Insanity: voting in the same two parties over and over again and expecting different results
    4. Re:Well, at least the important keys still work. by dissy · · Score: 4, Informative

      More importantly, is there a way to disable F1 in Windows? I can't tell you how many times I've accidentally hit it when trying to hit Esc.

      Regedit: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\HELPCTR.EXE

      For the default key at the top usually named (Default)
      Either delete the path to helpctr.exe so the value is blank (Value not set), or download the dummy.exe from the actual directions below and point it to that.

      http://www.hydrous.net/weblog/2007/06/23/disable-f1-in-windows-exporer

    5. Re:Well, at least the important keys still work. by Froboz23 · · Score: 5, Funny

      Tech Support: See this button? Don't touch it! It's the history eraser button, you fool!

      User: So what'll happen?

      Tech Support: That's just it. We don't know. Maybe something bad. Maybe something good. I guess we'll never know, 'cause you're going to guard it. You won't touch it, will you?

      --
      Take off every Sig. For great justice.
    6. Re:Well, at least the important keys still work. by Anonymous Coward · · Score: 5, Funny

      Best to change it to:

      Shutdown -s -f -t 00

      Will make windows much more efficient :)

    7. Re:Well, at least the important keys still work. by RadioElectric · · Score: 5, Funny

      BEST DECISION I EVER MADE.

    8. Re:Well, at least the important keys still work. by Niten · · Score: 5, Funny

      More importantly, is there a way to disable F1 in Windows?

      Possibly. Press F1 and look it up in Windows Help.

    9. Re:Well, at least the important keys still work. by Abstrackt · · Score: 4, Funny

      BEST DECISION I EVER MADE.

      Everyone knows caps lock is cruise control for cool.

      --
      They say a little knowledge is a dangerous thing, but it's not one half so bad as a lot of ignorance. - Terry Pratchett
    10. Re:Well, at least the important keys still work. by Ihmhi · · Score: 4, Funny

      Welp, a long time ago I disabled the very annoying Insert Key on my computer with a simple hardware fix.

      1) Get a flathead screwdriver.

      2) Place screwdriver underneath problem key.

      3) Place left hand approximately 1 foot (~0.3 meters) above problem key.

      4) Use leverage to pop key out of keyboard.

      5) Your left hand will block the deadly flying plastic. Be careful not to stab yourself with the screwdriver! Better to have to search around for a plastic key than dig a flathead screwdriver out of your hand.

      --
      Random Thoughts From A Diseased Mind (Not For Dummies)
  2. F1! by fm6 · · Score: 5, Funny

    F1!
    I need somebody!
    F1!
    Not just anybody!
    F1!
    You know I need someone!
    F1!

  3. MS was concerned about how this was exposed? by Meshach · · Score: 5, Insightful
    From TFA:

    Microsoft is concerned that this new report of a vulnerability was not responsibly disclosed, potentially putting computer users at risk. We continue to encourage responsible disclosure of vulnerabilities. We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone's best interests. This practice helps to ensure that customers receive comprehensive, high-quality updates for security vulnerabilities without exposure to malicious attackers while the update is being developed.

    I find the idea that Microsoft is angry at the people who found a problem in Microsoft software not telling Microsoft about it hilarious.

    --
    "Maybe this world is another planet's hell"
    Aldous Huxley
    1. Re:MS was concerned about how this was exposed? by timeOday · · Score: 5, Insightful

      Angry or not angry, the point is that disclosing security bugs directly to the vendor first minimizes harm to end users - assuming, that is, the vendor feels sufficiently motivated to fix the bug. You can't argue that "security researchers" who sell 0-day vulnerabilities on the black market are helping anybody but themselves (not that Prodeus fits this description).

    2. Re:MS was concerned about how this was exposed? by causality · · Score: 5, Insightful

      Angry or not angry, the point is that disclosing security bugs directly to the vendor first minimizes harm to end users - assuming, that is, the vendor feels sufficiently motivated to fix the bug. You can't argue that "security researchers" who sell 0-day vulnerabilities on the black market are helping anybody but themselves (not that Prodeus fits this description).

      I frequently hear this type of reasoning. It should be listed as a known/cataloged talking point so we can all absorb it once and move on, instead of seeing it rehashed every time this sort of discussion comes up. Sorry but old and well-worn arguments aren't contributing much. They don't have much power to convince anyone who doesn't already subscribe to that viewpoint.

      What I don't hear so much about is the incentive provided by full public disclosure. If you know that security vulnerabilities will be disclosed to the public, that this will result in security problems for your customers, that it will cause public humiliation for your company, is this not a strong incentive to secure your software in the first place? Confidential disclosure to the vendor only seems like it lets them off the hook a bit too easily. I'd normally be slow to view it that way, but Microsoft has a long history of such problems despite having tremendous resources it could dedicate to proactively eliminating them. They have the expertise, they have the money, they have the ability; what they lack is the will. There's simply no excuse for allowing a browser to influence bulilt-in OS functions. I view this more like negligence on Microsoft's part and less like an unforeseeable event that could have happened to any vendor.

      As far as causing the least harm to the end users, should we be concerned about this in the long run? In the short term this can be quite unpleasant, and I don't enjoy the idea that someone who just wants to get their work done might have problems because of something beyond their immediate control. But it's not entirely beyond their control. Microsoft could not possibly exist were it not for the users who purchase its products.

      When its products malfunction in preventable ways, they make the Internet a worse palce for everyone. I may run a relatively secure *nix machine, but I can still receive spam e-mail delivered by compromised Windows machines. So can everyone else. Since the situation could not possibly exist if not for Microsoft's users, is it really an injustice that they catch some flak when the entity they keep financially supporting fails to do its job? If they dislike this, should they not be a bit more careful about how they vote with their wallets and for whom they vote? I know the victim mentality is popular these days, but if you either know or could have known what you're dealing with, and continue to behave as though you do not and cannot know, should you cry fowl when there are negative consequences?

      Microsoft has a long history of problems like this. Anyone who deals with them and doesn't know that has simply failed to do their homework. The real "accomplishment" of Microsoft is that they, through their widespread presence, have convinced the general public that exploits, malware, and other security problems are a normal part of operating a computer. I'm not claiming that Microsoft's products are without merit; if they were, even the non-technical masses would not use them. I am merely skeptical of any notion that their positive contributions to this industry have outweighed their business practices and their negative contributions to this industry.

      --
      It is a miracle that curiosity survives formal education. - Einstein
    3. Re:MS was concerned about how this was exposed? by causality · · Score: 4, Insightful

      Sheesh, blah blah blah. What your parent said isn't a talking point. His point was much better than yours in less words. All a researcher has to do is notify MS. Give them a reasonable amount of time that you clearly specify(say a month) and then publicly disclose it. Your disdain of MS shouldn't erode your common sense.

      You have failed to address the issue I raised.

      If its users were more discriminating and more willing to expect quality, I would have no reason to disdain MS. You act like any disdain on my part is an opinion or a matter of taste, and not like MS has soundly earned it.

      Microsoft is a business. That means they will tend to do whatever makes them the most profit. If selling garbage makes profit for them, then they will sell garbage. If no one is willing to buy garbage, then they will be forced to sell quality. Therefore, Microsoft does whatever its paying customers are willing to put up with.

      The point I raise, to restate it for you, is that this multibillion-dollar company with many highly skilled employees has both the expertise and the resources to design their systems in such a way that they do not suffer such vulnerabilities. They don't do this because they can profit without doing this; therefore, why would they go to the trouble when more effort means more expense? They can profit without doing this because their paying customers will tolerate insecure products. They think malware and other system compromises are an inherent aspect of owning a computer. If people who hold this false belief and use their money to support a vendor which caters to this false belief suffer because of this false belief, why should that trouble the rest of us? Are they not reaping what they sow?

      Those of you who believe in confidential, discreet disclosure are implying that the effects on the customers should trouble the rest of us. I'm willing to entertain the idea, but to do that I need someone to tell me why Microsoft's customers are not merely reaping what they have sown. You have not addressed this. If you would like to, I'm all ears, but attempting to tell me that Microsoft's security history is irrelevant, that it's unfair to consider its business practices and priorities, or that I should ignore the fact that they have both the knowledge and the resources to deliver more secure products will never work with me. Please save that and your "blah blah blah" handwaving for the pushovers who are impressed by your assertions. As for me, I deal in facts.

      Again, if you would like to actually address any of the issues I have raised, I'm all ears. The fact that you dislike my opinions has been noted, but does not constitute a worthy response.

      --
      It is a miracle that curiosity survives formal education. - Einstein
  4. Windows Help F1 by edsousa · · Score: 5, Informative

    This won't affect anybody: those users that aren't very computer literate don't even know that help exists and is one key away... the other ones already know that windows help won't lead you anywhere!

  5. Wishful thinking by Anonymous Coward · · Score: 5, Insightful

    "Microsoft is concerned that this new report of a vulnerability was not responsibly disclosed, potentially putting computer users at risk. We continue to encourage responsible disclosure of vulnerabilities. We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone's best interests. This practice helps to ensure that customers receive comprehensive, high-quality updates for security vulnerabilities without exposure to malicious attackers while the update is being developed."

    Call me a cynic, but I've got to be honest: The net effect may be positive, but I don't believe that Microsoft's idea of 'responsible disclosure' results in high priority investigation and timely patching of MS products.

  6. Re:Yet another reason by Anonymous Coward · · Score: 5, Insightful

    This is yet another reason why MS' idea of a tax to deal with malware tax is stupid.

    It's almost amusing that a Web browser is so tightly integrated with the operating system that scripts run by it can influence core system functions without actually rooting the machine. I guess this is what happens when you ignore decades of computer security history and discard the principle of least-privilege. Hopefully Windows 7 (and Vista) is not defective enough to allow a userspace application to screw around with a built-in OS function like help files.

    Look, if we're honest, the only reason why IE is so tightly integrated with the OS in the first place is because Microsoft wanted to abuse its desktop OS monopoly by using it to dominate the browser market. If not for that, IE would be a standalone browser and would be separate from any built-in HTML rendering that's part of the core Windows system, like help files in this case. This is one reason why I use Linux: Microsoft obviously cares about its marketshare more than my security, and I cannot in good conscience use my money to support a company with such backwards priorities. I'm sure someone will chime in with talk about how useful Windows is, and I won't argue (much) with that.

    This is really a moral issue. Anyone with decent principles wouldn't want to reward a company with such questionable business practices, not even if they made the finest software available. I'm sure the rest of you who don't have such principles will have a million excuses for why you continue to support Microsoft with your wallets, and that's fine. Every dishonest organization has its useful idiots without which it could not continue existing.

  7. I thought it said 'don't press the 'F' key'... by TeethWhitener · · Score: 5, Funny

    This is ucking ridiculous. I'm a ullerene chemist, or uck's sake!

    1. Re:I thought it said 'don't press the 'F' key'... by courseofhumanevents · · Score: 4, Funny

      +1, unny

  8. To read the rest of this article... by edelbrp · · Score: 5, Funny

    press F1 to continue.

  9. Re:Not such a bad advice by Opportunist · · Score: 4, Insightful

    I have yet to stumble upon a helpful help page in Visual Studio 08. Usually a search with Google ends up faster on a relevant MSDN page than pressing F1 in VS.

    Interesting enough, it is also more relevant than a search inside the MSDN or using Bing. You usually do NOT find the same MSDN content as quickly within MSDN or with Bing, but instead get offered pages that try to cram some MS-interface down your throat. Maybe nice if you're programming with that interface, but utterly useless if you're using C++ instead of whatever web-aware magical brewitup crap MS tries to push currently.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  10. Re:Yes, AutoHotkey. Change any key to anything els by zapakh · · Score: 5, Funny

    Can I change another key to be the any key? I can never find that darn thing.

  11. Microsoft Interview by dawilcox · · Score: 4, Interesting
    I interviewed with Microsoft for a development position a few weeks ago. I found that the interviewers were very arrogant. They assumed they knew all the details about my past projects. It felt like politics with them would be horrendous because everyone is showing each other up.

    Needless to say, I turned down the job offer. It doesn't surprise me how they keep making flub ups like this when the people at their company are so arrogant.

  12. Re:Yet another reason by Froboz23 · · Score: 4, Funny

    I don't see what the big deal is. Windows is a perfectly secure operating system as long as you don't access any external media or connect to the internet.

    (Coming from someone who just spent 10 hours removing the Internet Security 2010 trojan malware from his wife's computer.)

    --
    Take off every Sig. For great justice.
  13. Re:Yet another reason by RalphSleigh · · Score: 5, Interesting

    The same HTML rendering component I can understand, but in this case it appears a script running in a web browser instance of the component can somehow affect the help rendering instance, and that is a quality WTF.

    --
    Come as you are, do what you must, be who you will.
  14. don't worry! by swigabyte · · Score: 4, Funny

    I never hit F1. I've found windows help to be absolutely useless.

  15. Re:Yet another reason by shutdown+-p+now · · Score: 4, Insightful

    You do realise that KDE and Gnome are not operating systems? "OS X" is also not an operating system in the typical sense of the word; it has Darwin [wikipedia.org] under the covers, responsible for managing all the hardware and important functions like permissions, ensuring that the core system can't be hosed when an rogue application is somehow allowed to be run as a user.

    Guess what? Windows works in exact same way. There's the kernel there, then a set of userland APIs on top of then, then the UI layer, and finally the actual DE. Just because they are shipped in a single box, and aren't explicitly marked as separate, and given funny-sounding names, doesn't mean they aren't there.

    Do you seriously think that NT kernel somehow uses IE under covers?

    It is comforting to know that if something goes wrong on Linux or OS X (or similar), that the problem is almost always limited to only a single 'user' account

    It depends on your definition of "something goes wrong". A privilege escalation exploit has the same problems on any OS, and without one you can't break the system on modern Windows versions (speaking of which, note how Vista/7 aren't vulnerable in this case), either - user account security is not fundamentally different in NT compared to Unix.

    Oh, and this isn't what is usually understood by a privilege escalation vulnerability - it doesn't give you root or anything. It's rather a sandbox breakage - scripts which should be executing in a browser sandbox "leak out", and run with all privileges of the user interacting with the machine.