Follow Gregg on Twitter at or subscribe to Gregg's RSS feed.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Microsoft has not set a timeline for a fix, saying only that, "Microsoft will take the appropriate action to help protect our customers." The next scheduled security patch date for the company is March 9.Īlthough it does not rate the severity of vulnerabilities in its advisories, Microsoft noted that hackers exploiting the VBScript flaw using Windows Help and Internet Explorer could grab complete control of a Windows system.Ĭustomers running Windows Vista, Windows Server 2008, Windows 7 or Windows Server 2008 R2 are safe from such attacks, Microsoft said. 1, about four weeks before publishing his findings. By Prodeus' account, he notified Microsoft of the flaw Feb. "Microsoft is concerned that this vulnerability was not responsibly disclosed, potentially putting customers at risk," said Jerry Bryant, a senior manager with the MSRC, in an e-mail.
The company took Prodeus to task for taking the bug public, something it regularly does when researchers disclose a vulnerability or post sample attack code before a patch is available. The advisory explained how to entering a one-line command at a Windows command-line prompt to lock down the Help system. Users can also stymie attacks by disabling Windows Help. The security advisory made the same recommendation: "Our analysis shows that if users do not press the F1 key on their keyboard, the vulnerability cannot be exploited." "The prompt can appear repeatedly when dismissed, nagging the user to press the F1 key," Ross added. "As an interim workaround, users are advised to avoid pressing F1 on dialogs presented from Web pages or other Internet content," said David Ross with the Microsoft Security Response Center (MSRC) engineering staff in a blog entry on Monday. Until a patch is ready, users can protect themselves by not pressing the F1 key if a Web site tells them to, said Microsoft. Previously, Prodeus had said that users running IE7 and IE8 were at risk, but had not called out IE6. Windows 2000, Windows XP and Windows Server 2003 are impacted by the bug, said Microsoft, and any supported versions of Internet Explorer (IE) on those operating systems - including IE6 on Windows XP - could be leveraged by attackers. He rated the vulnerability as "medium" because of the required user interaction. Last week, Prodeus called the bug a "logic flaw," and said attackers could exploit it by feeding users malicious code disguised as a Windows help file - such files have a ".hlp" extension - then convincing them to press the F1 key when a pop-up appeared.
0 kommentar(er)
