Microsoft is hurrying to deal with a new vulnerabilitydetected in the Internet Explorer browser that could allow a hacker to takecontrol of a computer.
The vulnerability could allow an attacker to host amaliciously crafted Web page and run arbitrary code if they could convince auser to visit the Web page and then get them to press the F1 key in response toa pop-up dialogue box. Microsoft says it is not aware of any attacks seeking toexploit this issue at this time and believes that users running Windows 7,Windows Server 2008 R2, Windows Server 2008, and Windows Vista are not affected.
“The issue in question involves the use of VBScript andWindows Help files in Internet Explorer,” a Microsoft blog posting explained. “WindowsHelp files are included in a long list of what we refer to as ‘unsafe filetypes’. These are file types that are designed to invoke automatic actionsduring normal use of the files. While they can be very valuable productivitytools, they can also be used by attackers to try and compromise a system.”
Microsoft advised users to avoid pressing F1 on dialogueboxes presented from Web pages or other Internet content.“If a dialogue box appears repeatedly in an attempt toconvince the user to press F1, users may log off the system or use Task Managerto kill the Internet Explorer process,” said the company in a securityresearch note.
Users can also set Internet Explorer to show a prompt beforerunning any Active X controls or scripting, which Microsoft said will notaffect general browsing.
A fix for the problem will probably be issued at a later date.