Microsoft warns of 'F1' pop-up flaw

gallery

Microsoft is looking into a new flaw that could let hackers run code if they can convince users to hit the 'F1' key in response to a pop-up window.

In a post on the Microsoft security blog, communications manager Jerry Bryant said that the flaw was made public on Friday, but that the company hadn't seen any attacks yet, and that computers running Windows 7, Vista or Sever 2008 are not affected - so XP users beware.

"The issue in question involves the use of VBScript and Windows Help files in Internet Explorer," Bryant noted.

"Windows Help files are included in a long list of what we refer to as 'unsafe file types'," he explained. "These are file types that are designed to invoke automatic actions during normal use of the files. While they can be very valuable productivity tools, they can also be used by attackers to try and compromise a system."

Microsoft said it will "take appropriate action" once it had finished examining the flaw, and advised users to make sure their anti-virus and software was up-to-date.

Bryant also called for such flaws to be reported to vendors like itself, instead of made generally public. "To minimise risk to computer users, Microsoft continues to encourage responsible disclosure," he said.

"Reporting vulnerabilities directly to vendors without further disclosure helps ensure that customers receive comprehensive, high-quality updates before cyber criminals learn of – and work to exploit – a vulnerability."

Email to a friend

Print this page