Asking for Help in IE 8 on XP SP3 Could Get You Infected with Malware

Users of Internet Explorer on top of Windows XP Service Pack 3 should mind the websites on which they ask for help by pressing F1, as they could risk getting infected with malware. Microsoft is currently investigating public reports of a security vulnerability that involves winhlp32.exe and Internet Explorer. Maurycy Prodeus, a security analyst with iSEC Security Research, revealed at the end of the past week a security vulnerability that, in the eventuality of a successful exploit, could allow an attacker to invoke winhlp32.exe from Internet Explorer. The attacker would subsequently be able to perform remote code execution on the target system and install malicious code.

“Passing malicious .HLP file to winhlp32 could allow remote attacker[s] to run arbitrary command[s]. Additionally, there is a stack overflow vulnerability in winhlp32.exe. To trigger vulnerability some user interaction is needed. Victim has to press F1 when MsgBox popup is displayed,” Prodeus explained.

Specifically, an attacker would have to use VBScript in order to exploit the vulnerability. According to Prodeus, the security flaw affects IE8, IE7 and IE6, but only on Windows XP SP3. Jerry Bryant, Sr. security communications manager lead, revealed that the Redmond company’s investigation had concluded thus far that Windows 7, Windows Server 2008 R2, Windows Server 2008, and Windows Vista were in no way affected by the vulnerability.

The software giant underlines that, in order for the vulnerability to be exploited, XP SP3 users need to be running IE and press F1 when required to do so by a popup dialog box. “The issue in question involves the use of VBScript and Windows Help files in Internet Explorer. Windows Help files are included in a long list of what we refer to as ‘unsafe file types.’ These are file types that are designed to invoke automatic actions during normal use of the files. While they can be very valuable productivity tools, they can also be used by attackers to try and compromise a system,” Bryant stated.

Internet Explorer 8 (IE8) RTW is available for download here (for 32-bit and 64-bit flavors of Windows XP, Windows Vista, Windows Server 2003 and Windows Server 2008).