Microsoft Says, Don't Press the F1 Key In XP 324
Ian Lamont writes "Microsoft has issued a security advisory warning users not to press the F1 key in Windows XP, owing to an unpatched bug in VBScript discovered by Polish researcher Maurycy Prodeus. The security advisory says that the vulnerability relates to the way VBScript interacts with Windows Help files when using Internet Explorer, and could be triggered by a user pressing the F1 key after visiting a malicious Web site using a specially crafted dialog box."
Windows Help F1 (Score:5, Informative)
Re:Well, at least the important keys still work. (Score:4, Informative)
http://www.randyrants.com/sharpkeys/
This will remap any(?) keys in windows at a registry level.. including media keys and the f > 12 keys.
Re:Well, at least the important keys still work. (Score:3, Informative)
I thought you were doing the typical "fixing Windows is easy, just install Linux!" joke... which appeared to fail based on the first hit, since it was how to install Windows ;)
As for FAT vs. NTFS, how many people know the difference between disc and drum brakes? I don't know if knowing about filesystems is a requirement for using a computer - or that it even should be. If you want people to switch to Linux (hey, I think it's a good idea too, most of the time :) ), requiring them to read about filesystems is going to be a problem. They don't care... and don't WANT to know, it is a waste of their time.
Which is why "defaults" are important. Even when I install Linux I'm ok with either reiserfs or ext3 (or ext4). The average user doesn't care if it's a journaled filesystem or not. The average user doesn't care about how the hard drive is partitioned. The average user probably has no idea what "partitioning" means. And why should they care anyways? I don't know half of what my mechanic talks to me about either... I'm glad he knows, but at the end of the day I just want my car to keep working and be a good car...
The problem with Windows users is not that they don't know about NTFS, FAT, partitioning, disk drives, SATA vs. PATA, or what-have-you. The problem with Windows users would be more along the lines of not being able to tell - or not caring to? - what a phishing attack is... thinking downloading and installing programs from who knows where is a good idea... thinking backups are for "important" people and they don't need to back things up - or if they do it's really just software that causes problems, not hardware [ha. I just had a 2 year old SATA drive die on me])...
If we are going to educate users, I can think of many other things I'd rather tell them, hehe. Incidentally, I usually start with explaining how exactly folders and files work. Most people could not explain how to find their "desktop" folder certainly could not explain how the folder/file hierarchy works. Once people understand that, it makes them soooo much more independent and not asking "I downloaded a picture but I can't find it, where did it go?" every other day :)
Re:Well, at least the important keys still work. (Score:5, Informative)
autohotkey.com
Open source programme that allows you do do anything with your keys. Careful though, once you start you won't stop.
Re:Well, at least the important keys still work. (Score:5, Informative)
More importantly, is there a way to disable F1 in Windows? I can't tell you how many times I've accidentally hit it when trying to hit Esc.
Regedit: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\HELPCTR.EXE
For the default key at the top usually named (Default)
Either delete the path to helpctr.exe so the value is blank (Value not set), or download the dummy.exe from the actual directions below and point it to that.
http://www.hydrous.net/weblog/2007/06/23/disable-f1-in-windows-exporer [hydrous.net]
Re:Yet another reason (Score:2, Informative)
What next, don't power up the box?
That's actually a pretty good way to secure a Windows box. That or forgetting a Linux live CD in the drive (and have the system boot from CD first).
Or don't use XP.. (Score:0, Informative)
AutoHotkey: Editor with syntax highlighting. (Score:4, Informative)
I just checked. My AutoHotkey script is 1,639 lines, 52,140 bytes. That doesn't include the special scripts.
The source code is available [autohotkey.com], as is a GUI creator.
The AutoHotkey programming language is quirky.
AutoIt [autoitscript.com] has a more standard language. AutoIt is better for complex automated installation scripts, for example. AutoHotkey is better for hotkeys. Both offer compilation of their scripts to
Re:Well, at least the important keys still work. (Score:4, Informative)
Presumably autohotkey has to stay running in the background?
If you just remap your keys nothing extra has to stay loaded :
http://vlaurie.com/computers2/Articles/remap-keyboard.htm [vlaurie.com]
or Remapkey.exe from the MS server 2008 resource kit : http://www.microsoft.com/downloads/details.aspx?FamilyID=9D467A69-57FF-4AE7-96EE-B18C4790CFFD&displaylang=en [microsoft.com]
Disabling help svc is an early part of install (Score:4, Informative)
Re:MS was concerned about how this was exposed? (Score:4, Informative)
It does sound "tired" and I appreciate that you are up-front enough to concede this, but in the same spirit I can admit that it's not unreasonable to wonder it. Still, I have a simple issue with this argument. While it has nowhere near the marketshare of Windows, there are still millions of Linux computers connected to the Internet. Compared to Windows, a disproportionately large number of Linux machines are beefy servers with large amounts of bandwidth. If they were as easy to take over as a home user's Windows machine, they would be more attractive targets. Yet there are no successful viruses or other self-replicating malware programs for Linux in the wild. There are proof-of-concept viruses, but they do not propagate on the Internet.
It comes down to target market. The people running Linux servers are qualified administrators. Linux servers are generally role specific. They probably only have a few apps running on them. Unless a network is being run by someone without a clue, Windows servers aren't getting taken apart by driveby downloads. The exploits are happening in one of two cases. Either internal users are leave the secured network and hitting compromised sites, or social engineering-esque exploits are coming in through the mail system, IM, etc.
You brought up Linux servers and then jumped sidways to talk about home Windows boxes. What are we talking about here, apples or oranges? Servers or workstations? What percentage of the Linux boxes are all running a uniform kernel and distro? Where are the consistent apps on every platform? Think like a malware writer for a second. Think like someone trying to find where in RAM an offset is going to be living. Think of an infection vector. What are you aiming for on Linux? KDE? Gnome? X? What revision? Be a serious for a second. If you know enough to write exploit code, what pool are you aiming for? Where you are going to focus the limited time that you have?
Think about the real world. Movie-esque financial heists where you clear millions of dollars out of a compromised system don't happen (unless you work for Wall Street, and then it's legal). Real world fraud is done with compromised credit cards and bank accounts. That data is swapped across the web and kept in Quickbooks. It is locked up in bank websites that have easy to intercept (on a compromised system) authentication mechanisms. If you were going for money, where would you go? Windows, or Linux? Fraud is a numbers game. System cracking is mostly automated. You find an exploit, write a bot and start scanning for the vulnerability. Out of any given Class B block, what percentage of IPs are Windows boxes? What if you're targeting Charter, Time Warner or Cox?
It all comes down to the users, and the numbers of them. It takes time to write an exploit. If you were to roll out 450,000,000 Ubuntu 9.10 workstations with the same web browser and mail client and give them to the general public, you'd have exploits. You'd have exploits if the general public were storing data that thieves cared about. You'd have "Linux Antivirus 2010" the first time someone figures out how to trick a user into downloading a script that resizes their desktop, or randomly changes a .conf file. From there how long until a user "clicks here" on the identical to Canoncial's system message themed dialogue to fix it? How long do you really think it would be before someone finds where Thunderbird or whatever client you want to load with Ubuntu stores its address book? Does Ubuntu desktop even have ufw on by default? I know I had to enable it myself when I loaded 8.04 LTS server. What would stop someone from kicking off an smtpd process, or loading some code to piggy back on Thunderbird?
Arguing Linux versus Windows in the hands of John Q Public is sort of like trying to prove or disprove God at this point. We don't have a large enough sample size to make definitive statements on. IMO, human nature doesn't go away because people use different OSes. The