Microsoft said it's investigating an Internet Explorer security vulnerability that could allow an attacker to host a maliciously crafted webpage and run arbitrary
Requires Free Membership to View
SearchSecurity.com members gain immediate and unlimited access to breaking industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.com today!
Michael S. Mimoso, Editorial Director
code.
In an advisory posted Sunday, Jerry Bryant, Microsoft senior security communications manager, said the attacker would have to convince a user to visit the malicious page and get them to press the F1 key in response to a pop-up dialog box.
Microsoft isn't aware of any attacks trying to exploit the IE vulnerability, he said. Machines running Windows 7, Windows Server 2008 R2, Windows Server 2008 and Windows Vista are not affected.
Bryant said the problem involves the use of VBScript and Windows Help files in Internet Explorer.
"Windows Help files are included in a long list of what we refer to as "unsafe file types," he wrote. "These are file types that are designed to invoke automatic actions during normal use of the files. While they can be very valuable productivity tools, they can also be used by attackers to try and compromise a system."
He referred customers to a Microsoft white paper on the topic of unsafe file types and said anyone affected by the issue can visit Microsoft's consumer security support center. Microsoft will provide more information about the vulnerability when it's available, he said.