United States
Live worldwide spam monitor detects outbreaks as they occur. See what's swarming.
WatchGuard Technologies, Inc.
WatchGuard Technologies, Inc.
ProductsPartnersSupportAbout UsHow to BuySearchProfile
 
Products  

Security Articles

Video Tutorials

WatchGuard Feeds

WatchGuard Wire

Radio Free Security

White Papers

Case Studies

Network Security Glossary

WatchGuard Wire
Improve Your Security IQ

Don't press F1 if a website tells you to.

5 March, 2010 -- In a security advisory released this week, Microsoft warned customers of a zero day vulnerability that affects Windows 2000, XP, and Server 2003. The vulnerability has to do with how Visual Basic script (VBscript) interacts with Windows help files in Internet Explorer (IE). However, an attacker would have to get a victim to press the F1 key in order to exploit this vulnerability.

Here's how this attack might go down. The attacker lures you to a specially crafted website, perhaps via an enticing email message or a link in an IM message. If you visit the malicious website, a dialog box pops up asking you to press F1 for whatever reason. If you press F1, the malicious code on the site exploits this flaw to install malware on your computer, using your privileges.

This new zero day was discovered by a researcher from iSEC Security Research. Unfortunately, the researcher irresponsibly disclosed the flaw in detail, without giving Microsoft time to patch it. If you'd like to know more technical details about this flaw, check out iSEC's advisory. Making matters worse, the researcher also released a Proof-of-Concept (PoC) exploit that illustrates the flaw. With attackers potentially exploiting this flaw in the wild, it poses a significant risk. That said, the attacker does have to trick your users into pressing F1 for this attack to succeed. If you don't press F1, the attack doesn't work. So for now, telling your users not to press F1 on strange websites should protect you from any malicious sites trying to leverage this vulnerability. 

I expect Microsoft to patch this as soon as they can. However, since they only learned about it shortly before this Month's Patch Day, it seems unlikely they'll include a patch with this month's meager updates. Still, I'll keep my eye out for the patch, and will inform LiveSecurity customers whenever Microsoft releases it. -- Corey Nachreiner, CISSP

Copyright© 2010 WatchGuard® Technologies, Inc. You may copy and distribute this article freely in any medium as long as you copy and distribute the entire article without change and preserve this copyright statement and notice.