Forwarded emails warn of a new security vulnerability in Windows 2000, XP, and Server 2003 systems consisting of a pop-up window directing users to press the F1 key, which sends them to a website that downloads malware.
Description: Virus alert
Circulating since: March 2010
Status: True
Text example as posted online, March 4, 2010:
------------------------------
Microsoft has announced a new virus is making the rounds.
It pops a box up on your screen and tells you to press F1 for further help when you visit an infected website. Pressing F1 downloads and engages the virus.
Microsoft said a patch for the virus won't be ready until March 9th, at the earliest, so they're putting out this warning to tell everyone that if you are prompted to press F1, ignore it, no matter how many times it continues to pop up and remind you.
------------------------------
Analysis: According to Microsoft this alert is mostly accurate, though it's only applicable to systems running Windows 2000, Windows XP, and Windows Server 2003. So far there have been no reported attacks that actually attempted to exploit this vulnerability.
Microsoft's TechNet website offers this expanded description of the problem:
An attacker could host a specially crafted Web site that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the Web site. This can also include compromised Web sites and Web sites that accept or host user-provided content or advertisements. These Web sites could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to convince users to visit the Web site, typically by getting them to click a link in an e-mail message or in an Instant Messenger request that takes users to the attacker's Web site. It could also be possible to display specially crafted Web content by using banner advertisements or by using other methods to deliver Web content to affected systems.The vulnerability could not be exploited without user interaction, even if the user visited the malicious Web site. Instead, an attacker would need to convince a user to press the F1 key on the keyboard while the Web site displays a scripted dialog box.
The simplest way to protect a vulnerable system, Microsoft says, is to set the Internet Zone security setting to High, which disables the Active Scripting feature in Internet Explorer.
For more detailed information, see: Microsoft Security Advisory (981169): Vulnerability in VBScript Could Allow Remote Code Execution.
If you think you've been the victim of a malware attack, visit: Microsoft Consumer Security Support Center.
Share This Article
Sources and further reading:
Microsoft Warns of Zero-Day Hole for Older Windows
CNET News, 1 March 2010Microsoft Security Advisory
Microsoft TechNet, 1 March 2010Microsoft Releases Security Advisory to Address VBScript Vulnerability
US-CERT Current Activity, 2 March 2010
Last updated 03/09/10
