Comments on: MS: Be Careful With Those Function Keys

By: xAdmin

xAdmin — Wed, 03 Mar 2010 17:22:56 +0000

I don’t see how this is a big issue. It requires user interaction where someone has to be duped into pressing the F1 key while browsing an Internet website that has this malicious payload. I know, I know, end users do these things all the time. But, you can’t protect everyone from everything 24/7. There has to be some personal responsibility/critical thinking taking place by the end user. If you’re browsing an INTERNET website (not Intranet -read internal), why would you EVER press the F1 key just because the website asks you to? This is one of those issues where it comes down to the person behind the keyboard.

Hot debate. What do you think? 5 3

By: JesWonderin

JesWonderin — Wed, 03 Mar 2010 15:54:56 +0000

Hmm, so they “good news” is that nobody hits F1? It seems the “sandbox” of IE is leaking everywhere. Where I work every training course emphasises hitting F1 as it is usually context senstitive to where the user is in an application, where the “Help” is not. And in Access and Excel, in VBA and in macros it is the “go to” tool. It takes the burden off the helpdesk as well with routine questions, and as stated previously we also have modified some of the helpdesk reponses for user with company specific info. So MS, this is a biggie.

Like or Dislike: 2 1

By: SE Wireless Motion Sensor Light – 10 Super-Bright LED « Best Electronics Products

Wed, 03 Mar 2010 13:01:54 +0000

[...] MS: Be Careful With Those Function Keys — Krebs on Security [...]

Like or Dislike: 0 0

By: Cuidado con la tecla F1 de ayuda en Internet Explorer | CyberHades

Cuidado con la tecla F1 de ayuda en Internet Explorer | CyberHades — Wed, 03 Mar 2010 02:18:12 +0000

[...] en Krebs On Security Comparte esta [...]

Like or Dislike: 0 0

By: LinXs 2010-03-02 | Maxim's blog

LinXs 2010-03-02 | Maxim's blog — Tue, 02 Mar 2010 22:53:23 +0000

[...] MS: Be Careful With Those Function Keys Pressing F1 key while browsing some sites in Internet Explorer may infect your PC [...]

Like or Dislike: 0 0

By: Tim

Tim — Tue, 02 Mar 2010 21:22:34 +0000

“clicking on the F1 key”

How does one “click” a keyboard key?

(Unless you run the On-Screen Keyboard from Accessibility features)

Hot debate. What do you think? 2 7

By: infosec_pro

infosec_pro — Tue, 02 Mar 2010 18:25:11 +0000

loved that timeline on the isec page, wonder why it remained discovered but undisclosed so long and is now revealed?

Like or Dislike: 2 1

By: JCitizen

JCitizen — Tue, 02 Mar 2010 17:58:11 +0000

Thank you CyberNorris;

I hate the way OEMs design these keyboards! I don’t work at a desk, so my wireless keyboard is all over the place, and they put the buttons right where I reach every-time! I’ve disabled most of them.

Like or Dislike: 2 0

By: CyberNorris

CyberNorris — Tue, 02 Mar 2010 17:06:21 +0000

I’m with JCitizen… trying to think of the last time I purposely hit F1. I probably hit it a few times a week by accident.

Like or Dislike: 5 2

By: xAdmin

xAdmin — Tue, 02 Mar 2010 16:54:44 +0000

Heh, the “any” key. Good one. I’ve taken many a support call in the past where the user asked, “Where is the “any” key?” Seriously! And it’s these types of users who will, like lemmings, be easily fooled into pressing the F1 key while browsing the web. Seriously, if you’re that gullible there’s nothing anyone can do for you.

Now if you’re follwing best practice and using a defense in depth strategy which includes running as a n0n-admin (limited user), and you fall for this trick, the damage to your system will be limited to the logged in user and not compromise the entire system. Thus the reason it’s one part of a layered defense. Anyway, I’m preaching to the choir.

Hot debate. What do you think? 5 3