Microsoft cautions WinXP users to avoid the F1 key

The unusual warning comes after a Polish security researcher revealed a `logic flaw' in the Windows XP kernel that can – under certain circumstances – allow a hacker to 'call' a malware infected piece of code when the user thinks they are polling a help file.

According to the Microsoft security advisory: "The vulnerability exists in the way that VBScript interacts with Windows Help files when using Internet Explorer."

"If a malicious website displayed a specially crafted dialog box and a user pressed the F1 key, arbitrary code could be executed in the security context of the currently logged-on user."

iSec.pl says that users of Windows XP, as well as Windows 2000 and Windows 2003 are affected by the bug, but the slightly bad news, Infosecurity notes, is that Microsoft has not announced when the problem will be fixed by a security patch.

Microsoft – unusually – has also called the public disclosure of what appears to be a zero-day security flaw as irresponsible and warned that the research firm has placed customers' security at risk.

In what is developing into a public spat, meanwhile, Maurycy Prodeus said over the weekend that he notified Microsoft some four weeks ago about the problem.

What’s hot on Infosecurity Magazine?