So there's this tiny unpatched bug in VBScript that lets sneaky websites run malicious code on machines running Internet Explorer on Windows XP. It's triggered when you try to access the help menu by hitting the F1 key. Whoops.
According to a recent Microsoft security advisory:
The vulnerability exists in the way that VBScript interacts with Windows Help files when using Internet Explorer. If a malicious Web site displayed a specially crafted dialog box and a user pressed the F1 key, arbitrary code could be executed in the security context of the currently logged-on user.
This means that all someone with ill intentions needs to do is create a website which has a somewhat convincing popup prompt to coax you into hitting F1. And tada! You've allowed him or her to run some kind of code on your machine.
It'll be a while before a patch is available for this bug, but in the meantime Microsoft suggests that you protect yourself by not pressing the F1 key if a Web site tells you to. [Microsoft via Computer World via Slashdot]
Picture by Karl Alvin