Microsoft has confirmed a potentially dangerous and unpatched vulnerability in Internet explorer, when the F1 button is pressed in earlier versions of windows.

The bug is within the VBS that is integrated with Internet Explorer. Making it potentially possible to create a website that trick the use into pressing the F1 button. The site then pushes out malware to the user. A pretty clever technique for getting?malware onto a network, and no doubt effective. however, this only works on older versions of windows, XP, 2000 and server 2003. Vista, 7 and Server 2008 are not affected.

Microsoft have said that they are not aware of any attacks that are using this technique. But now that the cat’s out of the bag it’s surely only a matter of time. They have criticised security researchers, saying that they should have come to them first before releasing the information. Microsoft published th following statement regarding the matter:

?Microsoft is concerned that this new report of a vulnerability was not responsibly disclosed, potentially putting computer users at risk. We continue to encourage responsible disclosure of vulnerabilities. We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves every one’s best interests. This practice helps to ensure that customers receive comprehensive, high-quality updates for security vulnerabilities without exposure to malicious attackers while the update is being developed.?

The Redmond Security bods are still looking into vulnerability.?But a patch is likely to be on the cards, obviously. MS have not said when it will arrive, but the next patch Tuesday is drawing near. Probably too near, it looks likely that the patch will not be released till April/May time.