IE code execution bug can bite older Windows
Surf, press F1, get pwned
Microsoft's security team is investigating a security vulnerability in older versions of Windows that allows attackers to execute malware on end user machines.
The bug combines scripts based on Microsoft's Visual Basic language with Windows help files for Internet Explorer. It makes it possible for an attacker hosting a malicious website to remotely run arbitrary code by convincing the user to press the computer's F1 key in response to a popup window.
The vulnerability doesn't threaten users of Windows 7, Windows Server 2008, and Windows Vista, Microsoft's Jerry Bryant wrote here, and so far, there are no reports of attacks that exploit the weakness.
The attack was described on Friday by Maurycy Prodeus of iSec Security Research. The vulnerability is the result of the passing a samba share as a helpfile parameter, he said. The researcher also warned there is a stack based buffer overflow in the winhelp32.exe file when parameters are too long.
Microsoft plans to issue guidance once its investigation is completed, Bryant said. ®
Sometimes when those involved try to state what not to be worried about, I just get more worried, because they sound soooo confused.
The notification "full details" says
===[ AFFECTED SOFTWARE ]=====
Windows XP SP3
but then goes on to say
"However, on XP winhlp32.exe is compiled with /GS flag, which in this case effectively guard the stack."
Huh? Not to worry?
They and Microsoft then go on to say the vulnerability is in winhelp32.exe, but not to worry if you're on Win7, Vista, etc.
Only... you can download and install winhelp32 on any of these OSes if you need to view those old help files. So does the OS protect me from the exe? Or are they thinking of the default Win7 installations, which don't have that old POS? Is it because it is all so magical to them that they can't explicitly say what to fear? (since MS is *always* saying the latest OS is safe I trust no blanket reassurances from them)
And then there is this:
===[ DISCLOSURE TIMELINE ]=====
01 Feb 2007 The vulnerability was discovered.
26 Feb 2010 Public disclosure
Is there a line missing here? Like "Notified Microsoft of vulnerability" ? Is that missing middle line subject to a remittance from Microsoft? Or is someone's job on the line and they've trawled through their old notes to show their (dust covered) productivity?
I suppose they could worry me more by saying "It's all under control", but demonstrating "It's all out of control" doesn't reassure me a bit.
Is it me or do they start picking holes in older windows Operating System right when their new ones begin to lose pace?
Nothing useful until you get off the treadmill