Microsoft Warns of F1 Site Attack

A new security advisory from Microsoft warns about a risk involving any version of Internet Explorer on Windows 2000 and Windows XP that can allow a malicious Web site to infiltrate your PC.

The vulnerability, detailed in an advisory put out yesterday, allows a specially crafted site to essentially reach through Internet Explorer using VBScript to access "inherently unsafe" Windows Help files, according to a Microsoft Security Research & Defense post. An attack would display a dialog box that pushed you to hit F1, which is required to complete the attack.

According to US-Cert, an attack could come from a Web page, an HTML e-mail or an e-mail attachment, as long as Internet Explorer was used to display the file (IE's engine is often used to render HTML for other applications, even if you don't see the usual IE program window). Windows Server 2003 is affected as well, but the default IE configuration mitigates the threat. Windows Vista, Server 2008 and Windows 7 are not affected.

If you happen across a site that displays a message box that won't go away that exhorts you to hit F1, log off or use the Windows Task manager to close IE. Also, if you're comfortable working on the Windows command line, the MSRC post offers a command that can "lock down the legacy Windows Help system" to prevent it from loading and guard against this threat (all typed on one line):

cacls "%windir%\winhlp32.exe" /E /P everyone:N

And to reverse the change:

cacls "%windir%\winhlp32.exe" /E /R everyone

The post also lists more standard workarounds, such as changing IE intranet security zone settings, that can also help protect against potential attacks.

Subscribe to the Security Watch Newsletter

Comments