Outline Message warns that responding to a pop-up prompt by pressing the F1 key when visiting an infected website could download and install a virus on your computer.
Brief Analysis The warning is valid. Microsoft has announced that because of a vulnerability in VBScript when using Internet Explorer in older versions of Windows, pressing the F1 key when on a specially crafted web page could install malware on the visitor's computer. The vulnerability is not present in Windows Vista or Windows 7. At the time of writing, Microsoft notes that they are not aware of any actual attacks that have use this method.
Subject: Virus warning F1 key
Microsoft has announced a new virus is making the rounds.
It pops a box up on your screen and tells you to press F1 for further
help when you visit an infected website. Pressing F1 downloads and
engages the virus.
Microsoft said a patch for the virus won't be ready until March 9th, at
the earliest, so they're putting out this warning to tell everyone that if
you are prompted to press F1, ignore it, no matter how many times it
continues to pop up and remind you.
This message, which circulates via email and social networking websites, warns recipients about a potential computer security threat involving the F1 key. According to the message, users should watch out for a pop up window that instructs them to press the F1 key when visiting a website. The warning notes that pressing the F1 key as requested could result in a virus being downloaded and installed on the visitor's computer.
The warning is valid. A threat like the one described was outlined in a March 1st 2010 Microsoft Security Advisory. The advisory notes:
Microsoft is investigating new public reports of a vulnerability in VBScript that is exposed on supported versions of Microsoft Windows 2000, Windows XP, and Windows Server 2003 through the use of Internet Explorer. Our investigation has shown that the vulnerability cannot be exploited on Windows 7, Windows Server 2008 R2, Windows Vista, or Windows Server 2008. The main impact of the vulnerability is remote code execution. We are not aware of attacks that try to use the reported vulnerabilities or of customer impact at this time.
The vulnerability exists in the way that VBScript interacts with Windows Help files when using Internet Explorer. If a malicious Web site displayed a specially crafted dialog box and a user pressed the F1 key, arbitrary code could be executed in the security context of the currently logged-on user. On systems running Windows Server 2003, Internet Explorer Enhanced Security Configuration is enabled by default, which helps to mitigate against this issue.
We are actively working with partners in our Microsoft Active Protections Program (MAPP) to provide information that they can use to provide broader protections to customers.
Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs.
US-CERT has also published the following warning about the vulnerability on its website:
Microsoft has released a security advisory to address a vulnerability in VBScript. The advisory indicates that this vulnerability exists in the way that VBScript interacts with Windows Help files when using Internet Explorer. By convincing a user to view a specially crafted HTML document (web page, HTML email, or email attachment) with Internet Explorer and to press the F1 key, an attacker could run arbitrary code with the privileges of the user running the application.
Although the core claims in the warning message are correct, some details are a little inaccurate. The warning claims that this threat is "making the rounds" implying that malware distributors are already actively exploiting the vulnerability. However, the Microsoft Security advisory notes that the company was not aware at the time of writing of any actual attacks that tried to use the vulnerability described. And, for the record, the threat described is not technically a computer virus but rather a security "hole" that could potentially be exploited by an attacker.
The vulnerability was first revealed in late February 2010 when iSEC Security Research published a document outlining the threat along with proof of concept code. In its security advisory Microsoft notes that it was concerned about how news of the vulnerability was released:
Microsoft is concerned that this new report of a vulnerability was not responsibly disclosed, potentially putting computer users at risk. We continue to encourage responsible disclosure of vulnerabilities. We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone's best interests. This practice helps to ensure that customers receive comprehensive, high-quality updates for security vulnerabilities without exposure to malicious attackers while the update is being developed.
As noted above, this vulnerability cannot be exploited on Windows 7, Windows Vista, or Windows Server 2008. However, at least until Microsoft releases a security update to deal with this vulnerability, users of older Microsoft operating systems should certainly avoid pressing the F1 key if they are prompted to do so while visiting a webpage.