Story image

New IE exploit detected

02 Mar 10

Microsoft is hurrying to deal with a new vulnerability
detected in the Internet Explorer browser that could allow a hacker to take
control of a computer.

The vulnerability could allow an attacker to host a
maliciously crafted Web page and run arbitrary code if they could convince a
user to visit the Web page and then get them to press the F1 key in response to
a pop-up dialogue box. Microsoft says it is not aware of any attacks seeking to
exploit this issue at this time and believes that users running Windows 7,
Windows Server 2008 R2, Windows Server 2008, and Windows Vista are not affected.

“The issue in question involves the use of VBScript and
Windows Help files in Internet Explorer,” a Microsoft blog posting explained. “Windows
Help files are included in a long list of what we refer to as ‘unsafe file
types’. These are file types that are designed to invoke automatic actions
during normal use of the files. While they can be very valuable productivity
tools, they can also be used by attackers to try and compromise a system.”

Microsoft advised users to avoid pressing F1 on dialogue
boxes presented from Web pages or other Internet content.“If a dialogue box appears repeatedly in an attempt to
convince the user to press F1, users may log off the system or use Task Manager
to kill the Internet Explorer process,” said the company in a security
research note

Users can also set Internet Explorer to show a prompt before
running any Active X controls or scripting, which Microsoft said will not
affect general browsing.

A fix for the problem will probably be issued at a later date.