Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Microsoft Says, Don't Press the F1 Key In XP

kdawson posted more than 4 years ago | from the any-key-but-that-one dept.

Security 324

Ian Lamont writes "Microsoft has issued a security advisory warning users not to press the F1 key in Windows XP, owing to an unpatched bug in VBScript discovered by Polish researcher Maurycy Prodeus. The security advisory says that the vulnerability relates to the way VBScript interacts with Windows Help files when using Internet Explorer, and could be triggered by a user pressing the F1 key after visiting a malicious Web site using a specially crafted dialog box."

cancel ×

324 comments

Sorry! There are no comments related to the filter you selected.

Well, at least the important keys still work. (5, Funny)

dmgxmichael (1219692) | more than 4 years ago | (#31338526)

As long as CTRL-ALT-DELETE still works we're golden.

Re:Well, at least the important keys still work. (2, Insightful)

gerf (532474) | more than 4 years ago | (#31338660)

More importantly, is there a way to disable F1 in Windows? I can't tell you how many times I've accidentally hit it when trying to hit Esc.

Re:Well, at least the important keys still work. (4, Informative)

Anonymous Coward | more than 4 years ago | (#31338750)

http://www.randyrants.com/sharpkeys/

This will remap any(?) keys in windows at a registry level.. including media keys and the f > 12 keys.

Re:Well, at least the important keys still work. (5, Informative)

shermo (1284310) | more than 4 years ago | (#31338884)

autohotkey.com

Open source programme that allows you do do anything with your keys. Careful though, once you start you won't stop.

Yes, AutoHotkey. Change any key to anything else. (1)

Futurepower(R) (558542) | more than 4 years ago | (#31338938)

He's right. AutoHotkey [autohotkey.com] is excellent. Change any key to anything else, or to a sequence of keystrokes.

Re:Yes, AutoHotkey. Change any key to anything els (5, Funny)

zapakh (1256518) | more than 4 years ago | (#31339112)

Can I change another key to be the any key? I can never find that darn thing.

Re:Yes, AutoHotkey. Change any key to anything els (-1, Offtopic)

JustOK (667959) | more than 4 years ago | (#31339266)

Funny thing, it was originally supposed to be the "a" key and the "y" key, spoken like "a 'n y". Some browsers still support this and in Google Street view, will take you to approximately the location of your IP address, if you get the key sequence right.

AutoHotkey: Editor with syntax highlighting. (3, Informative)

Futurepower(R) (558542) | more than 4 years ago | (#31339252)

AutoHotkey has its own free editor with syntax highlighting. [autohotkey.net]

I just checked. My AutoHotkey script is 1,639 lines, 52,140 bytes. That doesn't include the special scripts.

The source code is available [autohotkey.com] , as is a GUI creator.

The AutoHotkey programming language is quirky.

AutoIt [autoitscript.com] has a more standard language. AutoIt is better for complex automated installation scripts, for example. AutoHotkey is better for hotkeys. Both offer compilation of their scripts to .EXE files.

Re:Well, at least the important keys still work. (0)

Anonymous Coward | more than 4 years ago | (#31338926)

Seems to me you could disable the Help service in services... would that cure the problem?

Re:Well, at least the important keys still work. (3, Funny)

ravenshrike (808508) | more than 4 years ago | (#31339234)

Or you could use FF/Opera/Chrome. Really the title should be, Don't use IE in XP.

Re:Well, at least the important keys still work. (4, Informative)

dissy (172727) | more than 4 years ago | (#31338952)

More importantly, is there a way to disable F1 in Windows? I can't tell you how many times I've accidentally hit it when trying to hit Esc.

Regedit: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\HELPCTR.EXE

For the default key at the top usually named (Default)
Either delete the path to helpctr.exe so the value is blank (Value not set), or download the dummy.exe from the actual directions below and point it to that.

http://www.hydrous.net/weblog/2007/06/23/disable-f1-in-windows-exporer [hydrous.net]

Re:Well, at least the important keys still work. (5, Funny)

Anonymous Coward | more than 4 years ago | (#31339216)

Best to change it to:

Shutdown -s -f -t 00

Will make windows much more efficient :)

Re:Well, at least the important keys still work. (0)

Anonymous Coward | more than 4 years ago | (#31338968)

I don't know about windows, specifically, but I do know of a cross platform method of disabling any key you wish. Grip and drag a flat-head screwdriver to the key in question, press into the gap and then rotate using the handle.

Re:Well, at least the important keys still work. (1)

biryokumaru (822262) | more than 4 years ago | (#31339336)

I did this for my "Hibernate" key, which was brilliantly placed right above my Esc key. A little duct tape over the hole, and it has most definitely eliminated all issues.

Re:Well, at least the important keys still work. (0)

Anonymous Coward | more than 4 years ago | (#31339090)

remap the key. I remapped caps lock and have been very happy with the results.

Re:Well, at least the important keys still work. (2, Insightful)

ls -la (937805) | more than 4 years ago | (#31339150)

More importantly, is there a way to disable F1 in Windows? I can't tell you how many times I've accidentally hit it when trying to hit Esc.

A screwdriver will work. It's even cross-platform.

Re:Well, at least the important keys still work. (0)

Anonymous Coward | more than 4 years ago | (#31339292)

Dont you mean Posi-drive platform?

Re:Well, at least the important keys still work. (1)

deniable (76198) | more than 4 years ago | (#31339232)

Pry-bar or epoxy. Also, F1 is usually just an accelerator for the help function, so they can get to the problem in other ways. Most of my users go to the menu rather than using F1. The other post detailing how to disable the help center is probably more useful.

ESC (0)

Anonymous Coward | more than 4 years ago | (#31339360)

More importantly, is there a way to disable F1 in Windows? I can't tell you how many times I've accidentally hit it when trying to hit Esc.

Start using Emacs.

Re:Well, at least the important keys still work. (1)

toastar (573882) | more than 4 years ago | (#31339368)

More importantly, is there a way to disable F1 in Windows? I can't tell you how many times I've accidentally hit it when trying to hit Esc.

same way I got rid of the Windows key, A Flathead screwdriver.

Re:Well, at least the important keys still work. (5, Insightful)

c++0xFF (1758032) | more than 4 years ago | (#31338674)

Just now, for the first time in my life, I pressed F1 in Windows on purpose.

Lots of interesting information is in there, and I even learned a few things (I didn't know XP had a private character editor [wikipedia.org] ). But I don't know anybody who uses the windows help system on purpose.

Google already provides good help for Windows.

Re:Well, at least the important keys still work. (0, Redundant)

Runaway1956 (1322357) | more than 4 years ago | (#31338716)

Re:Well, at least the important keys still work. (1)

CannonballHead (842625) | more than 4 years ago | (#31338746)

Uhhh, did you look at the first hit? Might want to proofread your Google links before using it to make a point...

How to Upgrade Linux to Windows XP | eHow.com
How to Upgrade Linux to Windows XP. Since Linux operating systems use different file systems than Windows, the hard drive must be formatted with either ...
www.ehow.com Computers Operating Systems Windows - Cached - Similar -

Re:Well, at least the important keys still work. (0)

Runaway1956 (1322357) | more than 4 years ago | (#31338776)

Actually, yes, I did read it. And that first hit helps to make my point. What percentage of Windows users are even aware that there are other file systems? I'd say that 20% of Windows users couldn't begin to explain the difference between FAT (of any variety) and NTFS. "Security model? That's some broad from Hollywood wearing a police uniform? What does that have to do with computers?"

Enjoy the links. ;^)

Re:Well, at least the important keys still work. (0)

Anonymous Coward | more than 4 years ago | (#31338834)

What percentage of Windows users are even aware that there are other file systems?

Windows is not a file system......

Re:Well, at least the important keys still work. (2, Informative)

CannonballHead (842625) | more than 4 years ago | (#31338850)

I thought you were doing the typical "fixing Windows is easy, just install Linux!" joke... which appeared to fail based on the first hit, since it was how to install Windows ;)

As for FAT vs. NTFS, how many people know the difference between disc and drum brakes? I don't know if knowing about filesystems is a requirement for using a computer - or that it even should be. If you want people to switch to Linux (hey, I think it's a good idea too, most of the time :) ), requiring them to read about filesystems is going to be a problem. They don't care... and don't WANT to know, it is a waste of their time.

Which is why "defaults" are important. Even when I install Linux I'm ok with either reiserfs or ext3 (or ext4). The average user doesn't care if it's a journaled filesystem or not. The average user doesn't care about how the hard drive is partitioned. The average user probably has no idea what "partitioning" means. And why should they care anyways? I don't know half of what my mechanic talks to me about either... I'm glad he knows, but at the end of the day I just want my car to keep working and be a good car...

The problem with Windows users is not that they don't know about NTFS, FAT, partitioning, disk drives, SATA vs. PATA, or what-have-you. The problem with Windows users would be more along the lines of not being able to tell - or not caring to? - what a phishing attack is... thinking downloading and installing programs from who knows where is a good idea... thinking backups are for "important" people and they don't need to back things up - or if they do it's really just software that causes problems, not hardware [ha. I just had a 2 year old SATA drive die on me])...

If we are going to educate users, I can think of many other things I'd rather tell them, hehe. Incidentally, I usually start with explaining how exactly folders and files work. Most people could not explain how to find their "desktop" folder certainly could not explain how the folder/file hierarchy works. Once people understand that, it makes them soooo much more independent and not asking "I downloaded a picture but I can't find it, where did it go?" every other day :)

Re:Well, at least the important keys still work. (2, Interesting)

ffreeloader (1105115) | more than 4 years ago | (#31339076)

First you say it really doesn't matter if Windows users know anything about how their system is set up and how things work, but then go on to explain how their ignorance about how things work is their greatest weakness. You pretty much defeat defeat your own argument without realizing it.

Re:Well, at least the important keys still work. (3, Insightful)

zapakh (1256518) | more than 4 years ago | (#31339168)

You pretty much defeat defeat your own argument without realizing it.

GP is comparing two broad classes of knowing how things works, and asserting that ignorance of one of them is a problem. This is not contradiction, it is drawing a distinction.

I don't need to know how my fuel injection system works, but I had better know what to do at a stop sign.

Re:Well, at least the important keys still work. (1)

ffreeloader (1105115) | more than 4 years ago | (#31339308)

You are missing the point. Ignorance of all things computing is why most clueless users will follow any "click this" direction from anyone. It takes a knowledgeable user to recognize the issues.

Re:Well, at least the important keys still work. (1)

zapakh (1256518) | more than 4 years ago | (#31339370)

You have a good point, and here my car analogy, and those like it, break down because of the complexity of the beast.

I had forgotten about F1, instead referring people to go online to find answers to their computer questions. But I wonder if I haven't been doing the wrong thing directing people to community support when they're ill-equipped to distinguish good advice from bad.

Re:Well, at least the important keys still work. (2, Insightful)

ffreeloader (1105115) | more than 4 years ago | (#31339450)

I don't think that pointing people to community resources is a bad thing. In the vast majority of cases, unless it's a very, very, odd forum/community if bad advice is given that advice will be promptly nullified.

I haven't used Windows in years so I'm very used to community support. I find it better than formal support because there is usually at least a couple of people on every help forum who have a real knack for explaining things to non-technical people. Also, getting more than one point of view, and more than one way of presenting information usually results in a better understanding of the problem for the noob/not_knowledgeable_user unless they have zero technical ability and then it doesn't really matter where you send them they aren't going to learn anything.

Re:Well, at least the important keys still work. (1)

Noodlenoggin (1295699) | more than 4 years ago | (#31339314)

If you're not sure what to do at the stop sign, just press the F1 key and a helpful window should open allowing you to find out the correct procedure. I'd suggest stopping before you press F1 however.

Re:Well, at least the important keys still work. (1)

Daniel Dvorkin (106857) | more than 4 years ago | (#31339110)

As for FAT vs. NTFS, how many people know the difference between disc and drum brakes? I don't know if knowing about filesystems is a requirement for using a computer - or that it even should be.

Should be? No. Is? Yes. Disc vs. drum brakes make a certain amount of difference to braking performance, but having drum brakes won't make it easier for people to steal your car, or cause it to suddenly stop working while you're driving. Modern computers are simply not comparable to modern cars. They're more like the Model T -- reliable and affordable enough to be useful to a lot of people, but still not something you want to depend on without a decent set of tools and a fair amount of mechanical knowledge.

Re:Well, at least the important keys still work. (1)

sexconker (1179573) | more than 4 years ago | (#31338934)

A well-written help file is like a well-written man file. Invaluable to anyone who wants to do anything other than the bog standard mindless shit.

A poorly-written help file is like a poorly-written man file. It causes more confusion than if there wasn't one at all.

Re:Well, at least the important keys still work. (1)

Saint Stephen (19450) | more than 4 years ago | (#31339114)

Ah, gee, I feel sorry for you guys who didn't get to play with Windows 3.0 in the Spring of '90 :-) Back then we read all the help files cover to cover, cause it was nearly the only thing you could do on the thing.

Then play some Door programs :-)

Re:Well, at least the important keys still work. (1)

Saint Stephen (19450) | more than 4 years ago | (#31339134)

In the old days you actually had to THINK to figure out how to do something on the PC. Real actual honest to god research and thinkin about something. No foolin!

FTFY (0)

Anonymous Coward | more than 4 years ago | (#31339380)

In the old days you actually had to THINK to figure out how to do something on the PC. Real actual honest to god research and thinkin about something. No foolin!

In the old days the bad guys actually had to THINK to figure out how to pwn a PC. Real actual honest to god research and thinkin about something. No foolin!

Re:Well, at least the important keys still work. (2, Insightful)

Monkeedude1212 (1560403) | more than 4 years ago | (#31338684)

The actually funny part about this is that most users find that they hit F1 triggering help files on accident - Windows help has long such been little to no help at all, offering nothing you didn't already know. Most of the time you are meaning to press F2 to rename something.

Re:Well, at least the important keys still work. (1)

iamhassi (659463) | more than 4 years ago | (#31338830)

First time I pressed F1 on purpose was when I read I shouldn't press F1...

Re:Well, at least the important keys still work. (1)

Opportunist (166417) | more than 4 years ago | (#31338976)

Windows XP Help is great when it comes to finding out whether you have a counterfeit copy. That answer comes up at pretty much any time you could remotely press F1.

Try it yourself... uh... well, maybe not right now.

Re:Well, at least the important keys still work. (5, Funny)

Froboz23 (690392) | more than 4 years ago | (#31339038)

Tech Support: See this button? Don't touch it! It's the history eraser button, you fool!

User: So what'll happen?

Tech Support: That's just it. We don't know. Maybe something bad. Maybe something good. I guess we'll never know, 'cause you're going to guard it. You won't touch it, will you?

Re:Well, at least the important keys still work. (0)

Anonymous Coward | more than 4 years ago | (#31339104)

"I may have invented Control-Alt-Delete, but Bill Gates made it famous."
        -- David Bradley

F1rst (3, Funny)

Anonymous Coward | more than 4 years ago | (#31338528)

F1rst

Re:F1rst (2, Funny)

sexconker (1179573) | more than 4 years ago | (#31338912)

Fa1l.

Pfah (-1, Offtopic)

Ironchew (1069966) | more than 4 years ago | (#31338530)

Don't throw lawn darts at people!

F1 in Internet Exploder (-1, Troll)

Icegryphon (715550) | more than 4 years ago | (#31338532)

Doesn't doing anything in Internet Explorer Cause it to lock?
So how is pressing F1 any different?

Yet another reason (2, Insightful)

Dracos (107777) | more than 4 years ago | (#31338552)

This is yet another reason why MS' idea of a tax to deal with malware tax is stupid.

Re:Yet another reason (3, Interesting)

0WaitState (231806) | more than 4 years ago | (#31338672)

How about we tax microsoft for their polluting the internet with their insecure-by-design OS installs? About $50 per install will put a dent in all the economic damage Windows causes.

Don't press the F1 key? Jesus fucking christ. What next, don't power up the box?

Re:Yet another reason (2)

Fnord666 (889225) | more than 4 years ago | (#31338894)

Don't press the F1 key? Jesus fucking christ. What next, don't power up the box?

Actually if you look at security advisory number ....

Re:Yet another reason (1, Informative)

Opportunist (166417) | more than 4 years ago | (#31339024)

What next, don't power up the box?

That's actually a pretty good way to secure a Windows box. That or forgetting a Linux live CD in the drive (and have the system boot from CD first).

Re:Yet another reason (4, Funny)

Froboz23 (690392) | more than 4 years ago | (#31339454)

I don't see what the big deal is. Windows is a perfectly secure operating system as long as you don't access any external media or connect to the internet.

(Coming from someone who just spent 10 hours removing the Internet Security 2010 trojan malware [bleepingcomputer.com] from his wife's computer.)

Re:Yet another reason (5, Insightful)

Anonymous Coward | more than 4 years ago | (#31338718)

This is yet another reason why MS' idea of a tax to deal with malware tax is stupid.

It's almost amusing that a Web browser is so tightly integrated with the operating system that scripts run by it can influence core system functions without actually rooting the machine. I guess this is what happens when you ignore decades of computer security history and discard the principle of least-privilege. Hopefully Windows 7 (and Vista) is not defective enough to allow a userspace application to screw around with a built-in OS function like help files.

Look, if we're honest, the only reason why IE is so tightly integrated with the OS in the first place is because Microsoft wanted to abuse its desktop OS monopoly by using it to dominate the browser market. If not for that, IE would be a standalone browser and would be separate from any built-in HTML rendering that's part of the core Windows system, like help files in this case. This is one reason why I use Linux: Microsoft obviously cares about its marketshare more than my security, and I cannot in good conscience use my money to support a company with such backwards priorities. I'm sure someone will chime in with talk about how useful Windows is, and I won't argue (much) with that.

This is really a moral issue. Anyone with decent principles wouldn't want to reward a company with such questionable business practices, not even if they made the finest software available. I'm sure the rest of you who don't have such principles will have a million excuses for why you continue to support Microsoft with your wallets, and that's fine. Every dishonest organization has its useful idiots without which it could not continue existing.

Re:Yet another reason (-1, Flamebait)

powerspike (729889) | more than 4 years ago | (#31339148)

This is one reason why I use Linux: Microsoft obviously cares about its marketshare more than my security, and I cannot in good conscience use my money to support a company with such backwards priorities

So your turning amish right?

You've just basically described any company with shares, and then some...

Re:Yet another reason (3, Insightful)

shutdown -p now (807394) | more than 4 years ago | (#31339330)

You do realize that KDE, for example, also uses the same HTML component - KHTML - for both its standalone browser, and help system (and many other things)? I'd expect OS X to do the same with WebKit. Gnome is different, but mainly because of the mess they made with GtkHTML vs Gecko vs WebKit; the long-term plan, as I understand, is still to migrate to WebKit for everything.

It's also purely a matter of practicality - I mean, why would you have two distinct HTML renderers?

Re:Yet another reason (1)

Opportunist (166417) | more than 4 years ago | (#31339000)

No, actually I still think it's a great idea. I would just paperclip to it that the actual culprit gets to pay when the shit hits the fan. If I'm to blame, I pay. If MS is to blame, they pay.

Just tell me early enough so I can make sure to dump all MS and Adobe stock I might have.

How about "don't press the power button" (0, Troll)

DJ DeFi (1344863) | more than 4 years ago | (#31338574)

Just leave your windows box off, you'll be doing us all a favor...

F1! (5, Funny)

fm6 (162816) | more than 4 years ago | (#31338594)

F1!
I need somebody!
F1!
Not just anybody!
F1!
You know I need someone!
F1!

Re:F1! (1)

martin-boundary (547041) | more than 4 years ago | (#31338948)

If you start me up
If you start me up I'll never F1
If you start me up
If you start me up I'll never F1

Re:F1! (1)

Chris Mattern (191822) | more than 4 years ago | (#31339052)

"You make a grown man cry"

So true :-)

Re:F1! (0)

Anonymous Coward | more than 4 years ago | (#31339392)

A bit outdated, but still funny.

Original lyrics from : Rolling Stones, "Start me up". Weird Al Yankovic - Windows 95

Well, I bought up.
Brought windows home,
and d'cided to boot it up.

But when I load it up,
It says my memory is not enough...
I'd be runnin' out.
I need some extra RAM to fix me up...

I have to cough it up...
Open my wallet up.
It never stops. (4x)

It's Windows 95!
It suckin' up my Drive.
It' makes a pretty all fine.
But my PC... is obsolete.
I'll have to buy myself a brandnew machine...

Bring it up...
Stick me up.
You suck me in, and then you got me hooked.
You got me..., you got me.

There's so much stuff to buy
I need a new harddrive
It's gonna suck me dry.
My CPU says, 'don't have the speed',
it takes an hour just to bring up the screen
nanana,

Oh no.
I making software buys,
Wow!
It's making Bill Gated come.
Yoyo.
You make a rich man come.

How about... (0, Funny)

Anonymous Coward | more than 4 years ago | (#31338612)

How about, don't hit F8 for "I Agree" to the XP EULA?
Does that protect me?

I sometimes... (1)

neptunusmaris (1466809) | more than 4 years ago | (#31338624)

... try to F1 (if you know what I mean) ..he he.... he

Only MSIE users (2, Insightful)

icebike (68054) | more than 4 years ago | (#31338628)

Any XP user still using Internet explorer probably hasn't a clue that F1 does anything at all.

Re:Only MSIE users (3, Interesting)

Alien1024 (1742918) | more than 4 years ago | (#31338916)

This probably affects any help file in html format, which is displayed through the IE rendering engine. Many new applications use html help files.

Re:Only MSIE users (1)

Ogive17 (691899) | more than 4 years ago | (#31339448)

My office alone has about 150 computers running XP and IE6... not by choice...

Or as Buzz Out Loud says... (2, Funny)

Rammed Earth (1732102) | more than 4 years ago | (#31338636)

F1 is now FU! (originally from BOL chatroom)

MS was concerned about how this was exposed? (5, Insightful)

Meshach (578918) | more than 4 years ago | (#31338640)

From TFA:

Microsoft is concerned that this new report of a vulnerability was not responsibly disclosed, potentially putting computer users at risk. We continue to encourage responsible disclosure of vulnerabilities. We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone's best interests. This practice helps to ensure that customers receive comprehensive, high-quality updates for security vulnerabilities without exposure to malicious attackers while the update is being developed.

I find the idea that Microsoft is angry at the people who found a problem in Microsoft software not telling Microsoft about it hilarious.

Re:MS was concerned about how this was exposed? (5, Insightful)

timeOday (582209) | more than 4 years ago | (#31338722)

Angry or not angry, the point is that disclosing security bugs directly to the vendor first minimizes harm to end users - assuming, that is, the vendor feels sufficiently motivated to fix the bug. You can't argue that "security researchers" who sell 0-day vulnerabilities on the black market are helping anybody but themselves (not that Prodeus fits this description).

Re:MS was concerned about how this was exposed? (3, Interesting)

martin-boundary (547041) | more than 4 years ago | (#31338876)

Angry or not angry, the point is that disclosing security bugs directly to the vendor first minimizes harm to end users

It does not. It minimizes potential damage to the brand, so the vendor can decide if it's worth their while to do something.

You can't argue that "security researchers" who sell 0-day vulnerabilities on the black market are helping anybody but themselves

Better they sell it on the black market than they use it quietly. Moreover, if there's a market, then it's worth something and "good guys" can bid, too.

Re:MS was concerned about how this was exposed? (5, Insightful)

causality (777677) | more than 4 years ago | (#31338922)

Angry or not angry, the point is that disclosing security bugs directly to the vendor first minimizes harm to end users - assuming, that is, the vendor feels sufficiently motivated to fix the bug. You can't argue that "security researchers" who sell 0-day vulnerabilities on the black market are helping anybody but themselves (not that Prodeus fits this description).

I frequently hear this type of reasoning. It should be listed as a known/cataloged talking point so we can all absorb it once and move on, instead of seeing it rehashed every time this sort of discussion comes up. Sorry but old and well-worn arguments aren't contributing much. They don't have much power to convince anyone who doesn't already subscribe to that viewpoint.

What I don't hear so much about is the incentive provided by full public disclosure. If you know that security vulnerabilities will be disclosed to the public, that this will result in security problems for your customers, that it will cause public humiliation for your company, is this not a strong incentive to secure your software in the first place? Confidential disclosure to the vendor only seems like it lets them off the hook a bit too easily. I'd normally be slow to view it that way, but Microsoft has a long history of such problems despite having tremendous resources it could dedicate to proactively eliminating them. They have the expertise, they have the money, they have the ability; what they lack is the will. There's simply no excuse for allowing a browser to influence bulilt-in OS functions. I view this more like negligence on Microsoft's part and less like an unforeseeable event that could have happened to any vendor.

As far as causing the least harm to the end users, should we be concerned about this in the long run? In the short term this can be quite unpleasant, and I don't enjoy the idea that someone who just wants to get their work done might have problems because of something beyond their immediate control. But it's not entirely beyond their control. Microsoft could not possibly exist were it not for the users who purchase its products.

When its products malfunction in preventable ways, they make the Internet a worse palce for everyone. I may run a relatively secure *nix machine, but I can still receive spam e-mail delivered by compromised Windows machines. So can everyone else. Since the situation could not possibly exist if not for Microsoft's users, is it really an injustice that they catch some flak when the entity they keep financially supporting fails to do its job? If they dislike this, should they not be a bit more careful about how they vote with their wallets and for whom they vote? I know the victim mentality is popular these days, but if you either know or could have known what you're dealing with, and continue to behave as though you do not and cannot know, should you cry fowl when there are negative consequences?

Microsoft has a long history of problems like this. Anyone who deals with them and doesn't know that has simply failed to do their homework. The real "accomplishment" of Microsoft is that they, through their widespread presence, have convinced the general public that exploits, malware, and other security problems are a normal part of operating a computer. I'm not claiming that Microsoft's products are without merit; if they were, even the non-technical masses would not use them. I am merely skeptical of any notion that their positive contributions to this industry have outweighed their business practices and their negative contributions to this industry.

Re:MS was concerned about how this was exposed? (0, Flamebait)

brkello (642429) | more than 4 years ago | (#31339054)

Sheesh, blah blah blah. What your parent said isn't a talking point. His point was much better than yours in less words.

All a researcher has to do is notify MS. Give them a reasonable amount of time that you clearly specify(say a month) and then publicly disclose it.

Your disdain of MS shouldn't erode your common sense.

Re:MS was concerned about how this was exposed? (4, Insightful)

causality (777677) | more than 4 years ago | (#31339270)

Sheesh, blah blah blah. What your parent said isn't a talking point. His point was much better than yours in less words. All a researcher has to do is notify MS. Give them a reasonable amount of time that you clearly specify(say a month) and then publicly disclose it. Your disdain of MS shouldn't erode your common sense.

You have failed to address the issue I raised.

If its users were more discriminating and more willing to expect quality, I would have no reason to disdain MS. You act like any disdain on my part is an opinion or a matter of taste, and not like MS has soundly earned it.

Microsoft is a business. That means they will tend to do whatever makes them the most profit. If selling garbage makes profit for them, then they will sell garbage. If no one is willing to buy garbage, then they will be forced to sell quality. Therefore, Microsoft does whatever its paying customers are willing to put up with.

The point I raise, to restate it for you, is that this multibillion-dollar company with many highly skilled employees has both the expertise and the resources to design their systems in such a way that they do not suffer such vulnerabilities. They don't do this because they can profit without doing this; therefore, why would they go to the trouble when more effort means more expense? They can profit without doing this because their paying customers will tolerate insecure products. They think malware and other system compromises are an inherent aspect of owning a computer. If people who hold this false belief and use their money to support a vendor which caters to this false belief suffer because of this false belief, why should that trouble the rest of us? Are they not reaping what they sow?

Those of you who believe in confidential, discreet disclosure are implying that the effects on the customers should trouble the rest of us. I'm willing to entertain the idea, but to do that I need someone to tell me why Microsoft's customers are not merely reaping what they have sown. You have not addressed this. If you would like to, I'm all ears, but attempting to tell me that Microsoft's security history is irrelevant, that it's unfair to consider its business practices and priorities, or that I should ignore the fact that they have both the knowledge and the resources to deliver more secure products will never work with me. Please save that and your "blah blah blah" handwaving for the pushovers who are impressed by your assertions. As for me, I deal in facts.

Again, if you would like to actually address any of the issues I have raised, I'm all ears. The fact that you dislike my opinions has been noted, but does not constitute a worthy response.

Re:MS was concerned about how this was exposed? (1)

Aqualung812 (959532) | more than 4 years ago | (#31339074)

I think the people that can discover a security bug like this can take a guess at how long it will take Microsoft to fix. It is totally the moral middle ground to say to Microsoft: "Here is the bug in your software I found. I will publicly release the details of this in (days assumed to fix)+30 days so that people can protect themselves. Please publish your patch before this date. Thank you."

Redundant advice (1, Funny)

Anonymous Coward | more than 4 years ago | (#31338652)

F1 in Windows, Office or MSIE has never caused any useful information to be displayed, so why would anyone ever press it in the first place?

Windows Help F1 (5, Informative)

edsousa (1201831) | more than 4 years ago | (#31338678)

This won't affect anybody: those users that aren't very computer literate don't even know that help exists and is one key away... the other ones already know that windows help won't lead you anywhere!

Wishful thinking (5, Insightful)

Anonymous Coward | more than 4 years ago | (#31338692)

"Microsoft is concerned that this new report of a vulnerability was not responsibly disclosed, potentially putting computer users at risk. We continue to encourage responsible disclosure of vulnerabilities. We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone's best interests. This practice helps to ensure that customers receive comprehensive, high-quality updates for security vulnerabilities without exposure to malicious attackers while the update is being developed."

Call me a cynic, but I've got to be honest: The net effect may be positive, but I don't believe that Microsoft's idea of 'responsible disclosure' results in high priority investigation and timely patching of MS products.

F1 key? (3, Insightful)

shivamib (1034310) | more than 4 years ago | (#31338748)

I tried it and got a Firefox friendly help tab. F1 is the second most annoying key.

What you really don't want to press is that cursed, evil POWER key. You know, when you're trying to find the Page Up ke

Nothing to Worry About... (1)

johnshirley (709044) | more than 4 years ago | (#31338764)

Most users rarely use the F1 key for its intended purpose: to get help on whichever application they're fumbling through and instead just ask the nearest person to them who "knows a lot about computers" for help. So, the risk here is probably pretty small.

Not such a bad advice (3, Funny)

Alien1024 (1742918) | more than 4 years ago | (#31338796)

Given the quality of the F1-contents these days, especially in MS apps, that's not such a bad advice - google instead.

Re:Not such a bad advice (4, Insightful)

Opportunist (166417) | more than 4 years ago | (#31339064)

I have yet to stumble upon a helpful help page in Visual Studio 08. Usually a search with Google ends up faster on a relevant MSDN page than pressing F1 in VS.

Interesting enough, it is also more relevant than a search inside the MSDN or using Bing. You usually do NOT find the same MSDN content as quickly within MSDN or with Bing, but instead get offered pages that try to cram some MS-interface down your throat. Maybe nice if you're programming with that interface, but utterly useless if you're using C++ instead of whatever web-aware magical brewitup crap MS tries to push currently.

Re:Not such a bad advice (1)

Saint Stephen (19450) | more than 4 years ago | (#31339178)

I never buy this line of reasoning. I think the VStudio MSDN help is a lot easier, especially when you want to learn about 50 different methods all in a couple of seconds. Online, it requires 50 different page reloads. In the MSDN help, the pages load instantly. I guess I always use the index - the search itself is useless. Must be because I've been using it for a bazillion years.

I rememeber when the first MSDN was just a bundle of KB docs, and they put a little index on it. Boolean searches! More powah!

Does it affect Firefox on XP? (2, Interesting)

BitterOak (537666) | more than 4 years ago | (#31338800)

The security advisory says the problem has to do with the way Internet Explorer interacts with the help system. Does anyone know if Firefox users are vulnerable?

A temporary fix (1, Funny)

Anonymous Coward | more than 4 years ago | (#31338816)

One way to avoid security problems is to also avoid the "ON" button.

I thought it said 'don't press the 'F' key'... (5, Funny)

TeethWhitener (1625259) | more than 4 years ago | (#31338832)

This is ucking ridiculous. I'm a ullerene chemist, or uck's sake!

Re:I thought it said 'don't press the 'F' key'... (4, Funny)

courseofhumanevents (1168415) | more than 4 years ago | (#31339008)

+1, unny

Re:I thought it said 'don't press the 'F' key'... (0)

Anonymous Coward | more than 4 years ago | (#31339210)

Phor phuck's sake, you can still replace that with the Ph key.

This is ridiculous (1)

bl8n8r (649187) | more than 4 years ago | (#31338874)

I find it fascinating just how long everyone has been putting up with the crap attitude towards security involving windows. Internet explorer has been the biggest wastes of disk space since there have been alternatives out there and it's amazing to me how many bone-headed people and developers are still insisting on using it. Microsoft must be very proud of itself.

Re:This is ridiculous (0)

Arker (91948) | more than 4 years ago | (#31338996)

What is truly sad here is that even if you only use firefox and even "disable" IE (the closest they will allow you to get to uninstalling it) you are still vulnerable.

Re:This is ridiculous (2)

maxume (22995) | more than 4 years ago | (#31339340)

No, if you are using Firefox, the VBScript that triggers the exploit will not be run.

(I guess the exploit is still there, but I'm not sure how it is going to do anything, as the trigger requires malicious code to be loaded into IE, and then the user needs to press F1 while the code is doing its thing)

To read the rest of this article... (5, Funny)

edelbrp (62429) | more than 4 years ago | (#31338882)

press F1 to continue.

Re:To read the rest of this article... (2, Interesting)

deniable (76198) | more than 4 years ago | (#31339284)

Even funnier if that's a BIOS message. No, don't press F1 if you're in Windows, yes if it's starting up, no not in IE. Help-desks of the world, I feel your pain.

Opens new doors... (3, Funny)

mgichoga (901761) | more than 4 years ago | (#31338966)

We're sunk! What happens someone finally figures out the space bar hack?

I cannot think of a better way to spread this (2, Insightful)

NicknamesAreStupid (1040118) | more than 4 years ago | (#31339006)

than to tell people not to do it. Call it fatalism.

Having seen the average MS help file... (2, Insightful)

Chris Mattern (191822) | more than 4 years ago | (#31339018)

...you're not losing all that much.

Or don't use XP.. (1, Informative)

7of7 (956694) | more than 4 years ago | (#31339044)

How many people were still using 3.1 in 2002? If you're still using XP at this point you deserve every problem you get.

Except ... (1)

bkeahl (1688280) | more than 4 years ago | (#31339072)

Don't press the F1 key in XP after running Internet Explorer ... unless it's Wednesday, a third Tuesday of the month, or the moon is Gibbous. A browser should NOT be so integrated to the operating system to allow this sort of behavior!

Damn! (2, Interesting)

Korbeau (913903) | more than 4 years ago | (#31339086)

I'll have to stop missing the ESC and ~ key!

Most annoying thing: press F1 in a software like Visual Studio and have to wait 5 minutes for it to refresh online help.

RTFM..yeah right (1, Insightful)

Anonymous Coward | more than 4 years ago | (#31339274)

Like windows users know what the F1 key is..or how to help themselves. That's why they use windows to begin with.

Anyone else... (1)

zerospeaks (1467571) | more than 4 years ago | (#31339290)

Suddenly get the urge to press the F1 key?

Microsoft Interview (4, Interesting)

dawilcox (1409483) | more than 4 years ago | (#31339440)

I interviewed with Microsoft for a development position a few weeks ago. I found that the interviewers were very arrogant. They assumed they knew all the details about my past projects. It felt like politics with them would be horrendous because everyone is showing each other up.

Needless to say, I turned down the job offer. It doesn't surprise me how they keep making flub ups like this when the people at their company are so arrogant.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>