Priveon Labs Security Blog

Microsoft issued a security advisory (981169) on March 1, 2010 which impacts supported versions of Windows 2000, 2003, and XP using Internet Explorer. This is related to how VBScript interacts with windows help files when using IE. If exploited, a malicious person could trick the user into pressing the F1 key which could then allow remote code execution.

The current workaround (pre-patch day-zero), is to do any of the following:

• Tell users not to press their F1 Key

  • More on this below...

• Restrict users from accessing the windows help system through windows ACL

  • echo Y | cacls "%windir%\winhlp32.exe" /E /P everyone:N
    

• Change the IE security zones setting to restrict ActiveX and other scripting

  • Good luck with this approach if you want other sites to continue working

So, let's go back just for a second to "Tell users not to press their F1 Key". Is this not the same as trying to keep a child away from an object by saying "Hot! Don't Touch!"? We all know how this ends... It works, yet makes the person more curious, then you leave, and can anyone guess what happens... They touch it. Especially in this case where the attack will often be in the form of repeated pop-ups asking the user to press F1.

If asking users to not do something actually worked, we wouldn't have most of the security issues we see today... right?

Anyway, for those of you who want to do a little more research. PoC code is available at exploit-db. Please review the code, modify for your purposes, and also download the hlp file and host on a trusted server for PoC testing.