Windows XP security advisory warns of zero-day glitch

Posted by Mike Luttrell

Microsoft today issued a security advisory to Windows XP users saying that a glitch in Internet Explorer makes it possible for malicious users to craft code that would produce a fake Windows help file.

Specifically, if users come across a Web site that appears to have a Windows dialogue box that says to press F1, they should direct away from the site. Pressing F1 could lead to the execution of computer-disabling processes. A researcher who found the bug calls it a "logic flaw". It allows hackers to legitimately disguise the hack as a Windows help file.

"The vulnerability exists in the way that VBScript interacts with Windows Help files when using Internet Explorer," wrote Microsoft in its advisory. The flaw affects users of Windows XP as well as those running older versions - Windows 2000 and Windows Server 2003. All versions of Internet Explorer on those platforms are vulnerable.

"As an interim workaround, users are advised to avoid pressing F1 on dialogs presented from Web pages or other Internet content," wrote Microsoft's David Ross in a company blog. Despite being exposed to malicious codes, if users do not actually press F1, nothing will happen.

Microsoft is working on a patch.