New VBScript 0-Day Vulnerability Affecting IE on XP Confirmed

Microsoft has confirmed officially a vulnerability in VBScript, which affects copies of Internet Explorer running on top of older releases of Windows, including Windows XP SP3, but also Windows 2000, and Windows Server 2003. At the end of the past week, the company noted that it was investigating claims of a security flaw and reviewing details published irresponsibly in the wild. Maurycy Prodeus, a security analyst with iSEC Security Research, came across the vulnerability and made it public, indicating that, in the eventuality of a successful exploit, an attacker could invoke winhlp32.exe from Internet Explorer and execute arbitrary code on the victim’s computer.

“The vulnerability exists in the way that VBScript interacts with Windows Help files when using Internet Explorer. If a malicious Web site displayed a specially crafted dialog box and a user pressed the F1 key, arbitrary code could be executed in the security context of the currently logged-on user. On systems running Windows Server 2003, Internet Explorer Enhanced Security Configuration is enabled by default, which helps to mitigate this issue,” Jerry Bryant, senior security communications manager – lead, Microsoft, revealed.

Bryant underlines that, at this point in time, Microsoft is not aware of any attacks in the wild targeting the VBScript vulnerability or of working exploit code. Customers that are running Windows Vista, Windows 7, Windows Server 2008, and Windows Server 2008 R2 have nothing to worry about in relation to this specific security hole, which cannot be exploited on their platforms.

The software giant is working on a patch for this issue, but, in the meanwhile, users can take matters into their own hands when it comes down to securing their machines. In this regard, the company issued Security Advisory 981169, a resource that contains a number of workarounds to avoid exposure to attacks. It is critical to note that the vulnerability can only be exploited in the context in which the end user presses F1 while prompted to do so by a malformed popup when visiting an attack website.

“Our analysis shows that if users do not press the F1 key on their keyboard, the vulnerability cannot be exploited. Consequently, malicious Web sites may attempt to persuade users into pressing the F1 key. Such a Web site could invoke an endless loop of dialog boxes that tell the user to press the F1 key to end the loop, or offer information such as pricing information or help to be revealed through the F1 key. Users are advised to avoid pressing F1 presented by Web pages or other Internet content. If a dialog box appears repeatedly in an attempt to convince the user to press F1, users may log off the system or use Task Manager to terminate the Internet Explorer process,” Microsoft advises.