Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
Security Windows Technology

Microsoft Says, Don't Press the F1 Key In XP 324

Posted by kdawson
from the any-key-but-that-one dept.
Ian Lamont writes "Microsoft has issued a security advisory warning users not to press the F1 key in Windows XP, owing to an unpatched bug in VBScript discovered by Polish researcher Maurycy Prodeus. The security advisory says that the vulnerability relates to the way VBScript interacts with Windows Help files when using Internet Explorer, and could be triggered by a user pressing the F1 key after visiting a malicious Web site using a specially crafted dialog box."
This discussion has been archived. No new comments can be posted.

Microsoft Says, Don't Press the F1 Key In XP

Comments Filter:
  • by dmgxmichael (1219692) on Tuesday March 02, 2010 @07:24PM (#31338526) Homepage
    As long as CTRL-ALT-DELETE still works we're golden.
  • F1rst (Score:3, Funny)

    by Anonymous Coward on Tuesday March 02, 2010 @07:24PM (#31338528)

    F1rst

  • Yet another reason (Score:3, Insightful)

    by Dracos (107777) on Tuesday March 02, 2010 @07:26PM (#31338552)

    This is yet another reason why MS' idea of a tax to deal with malware tax is stupid.

    • by 0WaitState (231806) on Tuesday March 02, 2010 @07:34PM (#31338672)
      How about we tax microsoft for their polluting the internet with their insecure-by-design OS installs? About $50 per install will put a dent in all the economic damage Windows causes.

      Don't press the F1 key? Jesus fucking christ. What next, don't power up the box?
    • by Anonymous Coward on Tuesday March 02, 2010 @07:38PM (#31338718)

      This is yet another reason why MS' idea of a tax to deal with malware tax is stupid.

      It's almost amusing that a Web browser is so tightly integrated with the operating system that scripts run by it can influence core system functions without actually rooting the machine. I guess this is what happens when you ignore decades of computer security history and discard the principle of least-privilege. Hopefully Windows 7 (and Vista) is not defective enough to allow a userspace application to screw around with a built-in OS function like help files.

      Look, if we're honest, the only reason why IE is so tightly integrated with the OS in the first place is because Microsoft wanted to abuse its desktop OS monopoly by using it to dominate the browser market. If not for that, IE would be a standalone browser and would be separate from any built-in HTML rendering that's part of the core Windows system, like help files in this case. This is one reason why I use Linux: Microsoft obviously cares about its marketshare more than my security, and I cannot in good conscience use my money to support a company with such backwards priorities. I'm sure someone will chime in with talk about how useful Windows is, and I won't argue (much) with that.

      This is really a moral issue. Anyone with decent principles wouldn't want to reward a company with such questionable business practices, not even if they made the finest software available. I'm sure the rest of you who don't have such principles will have a million excuses for why you continue to support Microsoft with your wallets, and that's fine. Every dishonest organization has its useful idiots without which it could not continue existing.

      • by shutdown -p now (807394) on Tuesday March 02, 2010 @08:47PM (#31339330) Journal

        You do realize that KDE, for example, also uses the same HTML component - KHTML - for both its standalone browser, and help system (and many other things)? I'd expect OS X to do the same with WebKit. Gnome is different, but mainly because of the mess they made with GtkHTML vs Gecko vs WebKit; the long-term plan, as I understand, is still to migrate to WebKit for everything.

        It's also purely a matter of practicality - I mean, why would you have two distinct HTML renderers?

        • by RalphSleigh (899929) on Tuesday March 02, 2010 @09:08PM (#31339474) Homepage

          The same HTML rendering component I can understand, but in this case it appears a script running in a web browser instance of the component can somehow affect the help rendering instance, and that is a quality WTF.

          • Re: (Score:2, Insightful)

            Quality-wise it's clearly a defect, but GP was ranting about it from some moral "evil monopoly" perspective.

        • by adtifyj (868717)

          You do realise that KDE and Gnome are not operating systems? "OS X" is also not an operating system in the typical sense of the word; it has Darwin [wikipedia.org] under the covers, responsible for managing all the hardware and important functions like permissions, ensuring that the core system can't be hosed when an rogue application is somehow allowed to be run as a user.

          It is comforting to know that if something goes wrong on Linux or OS X (or similar), that the problem is almost always limited to only a single 'user'

          • by shutdown -p now (807394) on Tuesday March 02, 2010 @09:41PM (#31339720) Journal

            You do realise that KDE and Gnome are not operating systems? "OS X" is also not an operating system in the typical sense of the word; it has Darwin [wikipedia.org] under the covers, responsible for managing all the hardware and important functions like permissions, ensuring that the core system can't be hosed when an rogue application is somehow allowed to be run as a user.

            Guess what? Windows works in exact same way. There's the kernel there, then a set of userland APIs on top of then, then the UI layer, and finally the actual DE. Just because they are shipped in a single box, and aren't explicitly marked as separate, and given funny-sounding names, doesn't mean they aren't there.

            Do you seriously think that NT kernel somehow uses IE under covers?

            It is comforting to know that if something goes wrong on Linux or OS X (or similar), that the problem is almost always limited to only a single 'user' account

            It depends on your definition of "something goes wrong". A privilege escalation exploit has the same problems on any OS, and without one you can't break the system on modern Windows versions (speaking of which, note how Vista/7 aren't vulnerable in this case), either - user account security is not fundamentally different in NT compared to Unix.

            Oh, and this isn't what is usually understood by a privilege escalation vulnerability - it doesn't give you root or anything. It's rather a sandbox breakage - scripts which should be executing in a browser sandbox "leak out", and run with all privileges of the user interacting with the machine.

    • No, actually I still think it's a great idea. I would just paperclip to it that the actual culprit gets to pay when the shit hits the fan. If I'm to blame, I pay. If MS is to blame, they pay.

      Just tell me early enough so I can make sure to dump all MS and Adobe stock I might have.

  • F1! (Score:5, Funny)

    by fm6 (162816) on Tuesday March 02, 2010 @07:29PM (#31338594) Homepage Journal

    F1!
    I need somebody!
    F1!
    Not just anybody!
    F1!
    You know I need someone!
    F1!

  • Only MSIE users (Score:3, Insightful)

    by icebike (68054) on Tuesday March 02, 2010 @07:31PM (#31338628)

    Any XP user still using Internet explorer probably hasn't a clue that F1 does anything at all.

    • Re: (Score:3, Interesting)

      by Alien1024 (1742918)
      This probably affects any help file in html format, which is displayed through the IE rendering engine. Many new applications use html help files.
    • by Ogive17 (691899)
      My office alone has about 150 computers running XP and IE6... not by choice...
      • by icebike (68054)

        Really? What could possibly tie you to IE6? Even Microsoft has STRONGLY recommended you move on.

  • F1 is now FU! (originally from BOL chatroom)
  • by Meshach (578918) on Tuesday March 02, 2010 @07:32PM (#31338640)
    From TFA:

    Microsoft is concerned that this new report of a vulnerability was not responsibly disclosed, potentially putting computer users at risk. We continue to encourage responsible disclosure of vulnerabilities. We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone's best interests. This practice helps to ensure that customers receive comprehensive, high-quality updates for security vulnerabilities without exposure to malicious attackers while the update is being developed.

    I find the idea that Microsoft is angry at the people who found a problem in Microsoft software not telling Microsoft about it hilarious.

    • by timeOday (582209) on Tuesday March 02, 2010 @07:38PM (#31338722)
      Angry or not angry, the point is that disclosing security bugs directly to the vendor first minimizes harm to end users - assuming, that is, the vendor feels sufficiently motivated to fix the bug. You can't argue that "security researchers" who sell 0-day vulnerabilities on the black market are helping anybody but themselves (not that Prodeus fits this description).
      • Re: (Score:3, Interesting)

        Angry or not angry, the point is that disclosing security bugs directly to the vendor first minimizes harm to end users

        It does not. It minimizes potential damage to the brand, so the vendor can decide if it's worth their while to do something.

        You can't argue that "security researchers" who sell 0-day vulnerabilities on the black market are helping anybody but themselves

        Better they sell it on the black market than they use it quietly. Moreover, if there's a market, then it's worth something and "g

      • by causality (777677) on Tuesday March 02, 2010 @07:59PM (#31338922)

        Angry or not angry, the point is that disclosing security bugs directly to the vendor first minimizes harm to end users - assuming, that is, the vendor feels sufficiently motivated to fix the bug. You can't argue that "security researchers" who sell 0-day vulnerabilities on the black market are helping anybody but themselves (not that Prodeus fits this description).

        I frequently hear this type of reasoning. It should be listed as a known/cataloged talking point so we can all absorb it once and move on, instead of seeing it rehashed every time this sort of discussion comes up. Sorry but old and well-worn arguments aren't contributing much. They don't have much power to convince anyone who doesn't already subscribe to that viewpoint.

        What I don't hear so much about is the incentive provided by full public disclosure. If you know that security vulnerabilities will be disclosed to the public, that this will result in security problems for your customers, that it will cause public humiliation for your company, is this not a strong incentive to secure your software in the first place? Confidential disclosure to the vendor only seems like it lets them off the hook a bit too easily. I'd normally be slow to view it that way, but Microsoft has a long history of such problems despite having tremendous resources it could dedicate to proactively eliminating them. They have the expertise, they have the money, they have the ability; what they lack is the will. There's simply no excuse for allowing a browser to influence bulilt-in OS functions. I view this more like negligence on Microsoft's part and less like an unforeseeable event that could have happened to any vendor.

        As far as causing the least harm to the end users, should we be concerned about this in the long run? In the short term this can be quite unpleasant, and I don't enjoy the idea that someone who just wants to get their work done might have problems because of something beyond their immediate control. But it's not entirely beyond their control. Microsoft could not possibly exist were it not for the users who purchase its products.

        When its products malfunction in preventable ways, they make the Internet a worse palce for everyone. I may run a relatively secure *nix machine, but I can still receive spam e-mail delivered by compromised Windows machines. So can everyone else. Since the situation could not possibly exist if not for Microsoft's users, is it really an injustice that they catch some flak when the entity they keep financially supporting fails to do its job? If they dislike this, should they not be a bit more careful about how they vote with their wallets and for whom they vote? I know the victim mentality is popular these days, but if you either know or could have known what you're dealing with, and continue to behave as though you do not and cannot know, should you cry fowl when there are negative consequences?

        Microsoft has a long history of problems like this. Anyone who deals with them and doesn't know that has simply failed to do their homework. The real "accomplishment" of Microsoft is that they, through their widespread presence, have convinced the general public that exploits, malware, and other security problems are a normal part of operating a computer. I'm not claiming that Microsoft's products are without merit; if they were, even the non-technical masses would not use them. I am merely skeptical of any notion that their positive contributions to this industry have outweighed their business practices and their negative contributions to this industry.

        • Re: (Score:3, Funny)

          by roystgnr (4015)

          should you cry fowl when there are negative consequences?

          Certainly not. That would be ducking responsibility.

      • I think the people that can discover a security bug like this can take a guess at how long it will take Microsoft to fix. It is totally the moral middle ground to say to Microsoft: "Here is the bug in your software I found. I will publicly release the details of this in (days assumed to fix)+30 days so that people can protect themselves. Please publish your patch before this date. Thank you."
      • Re: (Score:3, Insightful)

        by GNUALMAFUERTE (697061)

        Bullshit. When you find a security issue in a piece of Free Software, you feel compelled to fix it. You can fix it and submit the patch (and get the credit for it) without leaving your desktop. Everything is there. do a svn checkout, fix, commit. That's all. People will thank you, and you'll feel great.

        When you find a security issue on a microsoft product, you have to:

        Find a way to report the bug. You know, it's not simple ... contacting someone in there is impossible. you can send an email and blindly wait

      • by dweller_below (136040) on Tuesday March 02, 2010 @10:26PM (#31340002)

        Angry or not angry, the point is that disclosing security bugs directly to the vendor first minimizes harm to end users - assuming, that is, the vendor feels sufficiently motivated to fix the bug.

        IN A TIMELY MANNER.

        You forgot the bit that's at the core of the disclosure debate. Virtually everybody in the security industry agrees on the principles of disclosure. All the flames are over the timing.

        In one corner, we have Microsoft. They appear to believe in full disclosure, once the disclosure will have no adverse effects on stock price or profitability.

        In another corner, we have a tiny handful of scum sucking, mercenary security researchers who believe that disclosure will happen just as soon as they get paid. And the terms of that disclosure will be whatever the purchaser wants.

        In the other corners, and carpeting the entire floor, are all the rest of the security community. They believe that full disclosure must happen in a time-frame that minimizes damage to the user community. They just can't agree on when that might be.

        This lack of a concensus has made it easy for Microsoft to define the current terms of disclosure. The result has been suppression of disclosure for longer and longer periods. The inevitable consequence is more and more '0' day exploits.

        In September 2009, SANS released an excellent State-of-the-Internet on the top cyber security threats: http://www.sans.org/top-cyber-security-risks/ [sans.org] One of their points was:

        "World-wide there has been a significant increase over the past three years in the number of people discovering zero-day vulnerabilities, as measured by multiple independent teams discovering the same vulnerabilities at different times. Some vulnerabilities have remained unpatched for as long as two years."

        To demonstrate this issue they enumerated the history of MS08-031:

        For example, MS08-031 (Microsoft Internet Explorer DOM Object Heap Overflow Vulnerability) was discovered independently by three researchers. The first researcher submitted remote IE 6/7 critical vulnerability on Oct 22, 2007. A second independent researcher submitted the same vulnerability on April 23, 2008. A third independent researcher submitted the same vulnerability on May 19, 2008. All three submissions outlined different approaches of auditing and finding the same vulnerability.

        What goes unstated is while 3 'responsible' researchers disclosed to Microsoft and waited and waited, unknown numbers of hackers also discovered the vulnerabilities and exploited them.

        Just this week, a dozen well managed, fully patched, WinXP (with .NET installed) computers at my institution were compromised by clicking on a major news site (http://www.ksl.com/index.php?nid=148&sid=9814436).

        Microsoft would have us believe that this is acceptable. But really, would immediate, full disclosure be any worse?

        Miles

  • Windows Help F1 (Score:5, Informative)

    by edsousa (1201831) on Tuesday March 02, 2010 @07:35PM (#31338678) Journal
    This won't affect anybody: those users that aren't very computer literate don't even know that help exists and is one key away... the other ones already know that windows help won't lead you anywhere!
  • Wishful thinking (Score:5, Insightful)

    by Anonymous Coward on Tuesday March 02, 2010 @07:36PM (#31338692)

    "Microsoft is concerned that this new report of a vulnerability was not responsibly disclosed, potentially putting computer users at risk. We continue to encourage responsible disclosure of vulnerabilities. We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone's best interests. This practice helps to ensure that customers receive comprehensive, high-quality updates for security vulnerabilities without exposure to malicious attackers while the update is being developed."

    Call me a cynic, but I've got to be honest: The net effect may be positive, but I don't believe that Microsoft's idea of 'responsible disclosure' results in high priority investigation and timely patching of MS products.

  • F1 key? (Score:3, Insightful)

    by shivamib (1034310) <leonardobighetti ... Rl.com minus cat> on Tuesday March 02, 2010 @07:40PM (#31338748)
    I tried it and got a Firefox friendly help tab. F1 is the second most annoying key.

    What you really don't want to press is that cursed, evil POWER key. You know, when you're trying to find the Page Up ke
  • by Alien1024 (1742918) on Tuesday March 02, 2010 @07:45PM (#31338796)
    Given the quality of the F1-contents these days, especially in MS apps, that's not such a bad advice - google instead.
    • by Opportunist (166417) on Tuesday March 02, 2010 @08:13PM (#31339064)

      I have yet to stumble upon a helpful help page in Visual Studio 08. Usually a search with Google ends up faster on a relevant MSDN page than pressing F1 in VS.

      Interesting enough, it is also more relevant than a search inside the MSDN or using Bing. You usually do NOT find the same MSDN content as quickly within MSDN or with Bing, but instead get offered pages that try to cram some MS-interface down your throat. Maybe nice if you're programming with that interface, but utterly useless if you're using C++ instead of whatever web-aware magical brewitup crap MS tries to push currently.

      • I never buy this line of reasoning. I think the VStudio MSDN help is a lot easier, especially when you want to learn about 50 different methods all in a couple of seconds. Online, it requires 50 different page reloads. In the MSDN help, the pages load instantly. I guess I always use the index - the search itself is useless. Must be because I've been using it for a bazillion years.

        I rememeber when the first MSDN was just a bundle of KB docs, and they put a little index on it. Boolean searches! More po

    • by barzok (26681)

      Unless you count MS's development tools; the online help there is excellent. Forget the order of the parameters for REPLACE() in SQL? F1 takes you right there.

  • by BitterOak (537666) on Tuesday March 02, 2010 @07:46PM (#31338800)
    The security advisory says the problem has to do with the way Internet Explorer interacts with the help system. Does anyone know if Firefox users are vulnerable?
  • by TeethWhitener (1625259) on Tuesday March 02, 2010 @07:49PM (#31338832)
    This is ucking ridiculous. I'm a ullerene chemist, or uck's sake!
  • I find it fascinating just how long everyone has been putting up with the crap attitude towards security involving windows. Internet explorer has been the biggest wastes of disk space since there have been alternatives out there and it's amazing to me how many bone-headed people and developers are still insisting on using it. Microsoft must be very proud of itself.
  • by edelbrp (62429) on Tuesday March 02, 2010 @07:54PM (#31338882)

    press F1 to continue.

    • Re: (Score:3, Interesting)

      by deniable (76198)
      Even funnier if that's a BIOS message. No, don't press F1 if you're in Windows, yes if it's starting up, no not in IE. Help-desks of the world, I feel your pain.
  • by mgichoga (901761) on Tuesday March 02, 2010 @08:03PM (#31338966)
    We're sunk! What happens someone finally figures out the space bar hack?
  • by NicknamesAreStupid (1040118) on Tuesday March 02, 2010 @08:07PM (#31339006)
    than to tell people not to do it. Call it fatalism.
  • by Chris Mattern (191822) on Tuesday March 02, 2010 @08:08PM (#31339018)

    ...you're not losing all that much.

  • Damn! (Score:3, Interesting)

    by Korbeau (913903) on Tuesday March 02, 2010 @08:16PM (#31339086)

    I'll have to stop missing the ESC and ~ key!

    Most annoying thing: press F1 in a software like Visual Studio and have to wait 5 minutes for it to refresh online help.

  • Microsoft Interview (Score:4, Interesting)

    by dawilcox (1409483) on Tuesday March 02, 2010 @09:03PM (#31339440)
    I interviewed with Microsoft for a development position a few weeks ago. I found that the interviewers were very arrogant. They assumed they knew all the details about my past projects. It felt like politics with them would be horrendous because everyone is showing each other up.

    Needless to say, I turned down the job offer. It doesn't surprise me how they keep making flub ups like this when the people at their company are so arrogant.

  • by swigabyte (1392247) on Tuesday March 02, 2010 @09:19PM (#31339532)
    I never hit F1. I've found windows help to be absolutely useless.
  • Oops! (Score:2, Interesting)

    by nastro (32421)

    I hit F1 by accident at least once a day trying for the Esc key.

  • by SlappyBastard (961143) on Tuesday March 02, 2010 @11:01PM (#31340264) Homepage
    Especially with XP, the last version of Windows that allows you to nuke absolutely every service, disabling help is one of the first things I do.
  • by yellowstone (62484) on Tuesday March 02, 2010 @11:22PM (#31340398) Homepage Journal
    Here, let me fix it:

    [T]he vulnerability relates to [...] using Internet Explorer

    You're welcome.

    Best way to stay trouble free on Windows? Don't use IE. Or Outlook. Or IIS.

  • by gig (78408) on Wednesday March 03, 2010 @06:15AM (#31343192)

    If you are still using XP at this point, who cares? Go for it. Press F1 while running FlashPlayer and Acrobat and IE6 simultaneously. If you gave a shit or had any data worth protecting you'd already be using a Mac or other Unix.

No one gets sick on Wednesdays.

Working...