Asking for help in Windows could lead to more trouble.
A newly discovered vulnerability in Internet Explorer (IE) leverages the ability of a Visual Basic script to invoke an .HLP (Windows Help file format) file, which could give a remote attacker the ability to run arbitrary code on an affected system.
Visual Basic uses the following syntax to call the MsgBox function, which is used to display message boxes:
However, if a specially crafted .HLP file passes as a variable, remote users would be able to run arbitrary code on an affected system. To trigger the vulnerability, some user interaction is needed, as he/she has to be directed to the page hosting the exploit and to press F1 when the message box appears.
The exploit does not affect all versions of Windows. Systems running Windows 2000, Windows XP, and Windows Server 2003 are vulnerable. Those that run Vista, Server 2008, Server 2008 R2, and Windows 7 are not.
Microsoft is already aware of the issue and has issued the following statement:
Our teams are working to address the issue and once we complete our investigation, we will take appropriate action to protect customers. This may include releasing an update out of band. We will provide further updates as they become available.
In addition, it also released a security advisory that details several workarounds for the said vulnerability. For users, the most important advice is simple—do not press the F1 key when prompted by a website.
Until the official patch is released, however, Trend Micro Deep Security™ can help shield users from this vulnerability and Trend Micro OfficeScan™ users with Intrusion Defense Firewall (IDF) plug-in are also protected from this attack if their systems are updated with the IDF10-009 release and rule number IDF1004019.