Microsoft issues advisory on latest IE exploit

The latest Internet Explorer problem relates to the use of help keys

Microsoft has issued a security advisory to update users about the latest vulnerability to hit Internet Explorer.

The problem relates to the use of help keys, particularly F1, and affects Windows 2000 and Windows XP by default, and to a lesser extent Windows 2003 Server.

Microsoft said that its internal investigations had revealed that Windows 7, Windows Server 2008 and Windows Vista are not affected.

"With this issue, it is possible for a malicious web page to display a dialogue box which will trigger the execution of arbitrary code when the user presses the F1 key," the advisory said.

"The prompt can appear repeatedly when dismissed, nagging the user to press the F1 key. Platforms are affected regardless of the Internet Explorer version installed.

"Though user interaction is required, the F1 keyboard shortcut does enable an attack scenario. In the exploit, a file path enables a .HLP file to be loaded from the local file system, SMB or WebDav."

Microsoft advised users to avoid pressing F1 on dialogue boxes presented from web pages or other internet content.

"If a dialogue box appears repeatedly in an attempt to convince the user to press F1, users may log off the system or use Task Manager to kill the Internet Explorer process," said the company in a security research note.

Users can also set Internet Explorer to show a prompt before running any Active X controls or scripting, which Microsoft said will not affect general browsing.