News of a newly discovered bug in VBScript and Windows Help files in Internet Explorer that could allow a remote attacker to run an arbitrary command has reached Microsoft on Friday and they immediately sat down to investigate the matter.
After two days, they confirmed that this vulnerability “could allow an attacker to host a maliciously crafted web page and run arbitrary code if they could convince a user to visit the web page and then get them to press the F1 key in response to a pop up dialog box”, but that there has been no news about attacks exploiting it so far.
Maurycy Prodeus, the security analyst that discovered the vulnerability, says that Windows XP SP3 running IE 8,7 or 6 are vulnerable, and Microsoft assures that users running Windows 7, Windows Server 2008 R2, Windows Server 2008, and Windows Vista, are not affected by this issue.
Microsoft is yet to confirm when the fix will be released, but Computerworld reports that Prodeus himself offered a temporary solution: blocking TCP port 445. “However, it is worth to note that blocking this port doesn’t solve the problem, because there might be [an]other attacking vector, for example, uploading an arbitrary file to the victim’s machine at known path location using some third-party browser plug-ins,” he said.