-
March 1st, 2010, 22:57 PM
#1
Head Honcho
Administrator
Beware Windows XP's F1 Help Bug
SEC Security Research has disclosed and Microsoft has confirmed a vulnerability in Internet Explorer versions 6, 7 and 8 that could allow remote code execution. Only Windows XP is vulnerable.
According the the advisory from iSEC, the attacker needs to elicit some cooperation from the user: The attack pops up a Windows messagebox (a simple dialog box with a button) loaded with VBScript. If the user presses F1, IE will load an attacker-supplied .HLP file with winhlp32.exe. iSEC also notes a stack overflow vulnerability in winhlp32 that they could use.
Microsoft's description of the issue basically supports all the claims by iSEC and adds some more facts.
Full story: PC Magazine
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
Bookmarks