Microsoft told Windows XP users today not to press the F1 key when prompted by a Web site. This was a reaction to an bug in VBScript that Polish researcher Maurycy Prodeus had revealed Friday. The vulnerability could enable hackers to hijack PCs running Internet Explorer (IE). Microsoft noted that hackers exploiting the VBScript flaw using Windows Help and Internet Explorer could grab complete control of a Windows system.
Last week Prodeus pointed out that attackers could exploit the "logic flaw" by feeding users malicious code disguised as a Windows help file and convincing them to press the F1 key when a pop-up appeared.
Microsoft has confirmed the bug and said "The vulnerability exists in the way that VBScript interacts with Windows Help files when using Internet Explorer. If a malicious Web site displayed a specially crafted dialog box and a user pressed the F1 key, arbitrary code could be executed in the security context of the currently logged-on user."
Microsoft says that Windows 2000, Windows XP and Windows Server 2003 are impacted by the bug and any supported versions of Internet Explorer (IE) on those operating systems.
Until a patch is available, Microsoft advise users not to press the F1 key if a Web site tells them to. Microsoft has not however set a time-line to fix the bug.
Customers running Windows Vista, Windows Server 2008, Windows 7 or Windows Server 2008 R2 are safe from such attacks, Microsoft said.