March 2, 2010

Microsoft Corp. has a message for Windows 2000, XP and Server 2003 users: If you browse the Interwebs with Internet Explorer 6, 7, or 8, take care to ignore any prompts that ask you to hit the F1 key on your keyboard, as doing so may be unhealthful to your PC.

It turns out that there is a security flaw in the way these operating systems + browser versions process “Windows Help files” in such a way that is entirely unhelpful. That is, clicking on the F1 key when presented with a specially crafted pop-up box prompting you to do so could allow criminals to download and install malicious software to your computer.

Thankfully, most Windows users are more likely to locate the “any” key on their systems before they realize that the “Function 1” key is but the first of 12 such keys situated just above the left-to-right number keys on the standard Windows keyboard. Indeed, most Windows users’ first experience with these function keys is when something goes wrong with Windows.

In a security advisory issued Monday, Microsoft said it may at some point issue a software update to address this shortcoming. Redmond’s advisory on this topic is available here. The organization responsible for this warning — Polish security firm iSec Security Research — has a bit more information here on the ins and outs of this bug.

9 thoughts on “MS: Be Careful With Those Function Keys

  1. JCitizen

    Hopefully so, but I’m sure this could only cover the function key; OEMs put their own help key on a lot of boards, for their own windows help file.

    I’m always hitting that infernal thing, as it is placed right where I grab my keyboard.

    If I saw such a pop-up, it would be just like me to accidentally push that key just for being startled!

  2. Lofti

    I think I’ll send this to my co-workers today (very small business with no IT dept.). I can see this trick fooling lots of people.

  3. xAdmin

    Heh, the “any” key. Good one. I’ve taken many a support call in the past where the user asked, “Where is the “any” key?” Seriously! And it’s these types of users who will, like lemmings, be easily fooled into pressing the F1 key while browsing the web. Seriously, if you’re that gullible there’s nothing anyone can do for you.

    Now if you’re follwing best practice and using a defense in depth strategy which includes running as a n0n-admin (limited user), and you fall for this trick, the damage to your system will be limited to the logged in user and not compromise the entire system. Thus the reason it’s one part of a layered defense. Anyway, I’m preaching to the choir.

  4. CyberNorris

    I’m with JCitizen… trying to think of the last time I purposely hit F1. I probably hit it a few times a week by accident.

  5. JCitizen

    Thank you CyberNorris;

    I hate the way OEMs design these keyboards! I don’t work at a desk, so my wireless keyboard is all over the place, and they put the buttons right where I reach every-time! I’ve disabled most of them.

  6. infosec_pro

    loved that timeline on the isec page, wonder why it remained discovered but undisclosed so long and is now revealed?

  7. Tim

    “clicking on the F1 key”

    How does one “click” a keyboard key? 😉

    (Unless you run the On-Screen Keyboard from Accessibility features)

  8. JesWonderin

    Hmm, so they “good news” is that nobody hits F1? It seems the “sandbox” of IE is leaking everywhere. Where I work every training course emphasises hitting F1 as it is usually context senstitive to where the user is in an application, where the “Help” is not. And in Access and Excel, in VBA and in macros it is the “go to” tool. It takes the burden off the helpdesk as well with routine questions, and as stated previously we also have modified some of the helpdesk reponses for user with company specific info. So MS, this is a biggie.

    1. xAdmin

      I don’t see how this is a big issue. It requires user interaction where someone has to be duped into pressing the F1 key while browsing an Internet website that has this malicious payload. I know, I know, end users do these things all the time. But, you can’t protect everyone from everything 24/7. There has to be some personal responsibility/critical thinking taking place by the end user. If you’re browsing an INTERNET website (not Intranet -read internal), why would you EVER press the F1 key just because the website asks you to? This is one of those issues where it comes down to the person behind the keyboard.

Comments are closed.