Another flaw has been found in versions 7 and 8 of Internet Explorer running on Windows XP. There’s an unpatched bug in VBScript that hackers can use to drop malware on 32-bit Windows XP machines. Microsoft says an exploit “was posted publicly that could allow an attacker to host a maliciously crafted web page and run arbitrary code if they could convince a user to visit the web page and then get them to press the F1 key in response to a pop up dialog box.”
Further more, “The issue in question involves the use of VBScript and Windows Help files in Internet Explorer. Windows Help files are included in a long list of what we refer to as ‘unsafe file types.’ Interesting that Microsoft views their own Help System as unsafe …
Microsoft says they are not aware of anyone using this exploit yet but that’s probably just them trying to tame the issue. If an exploit is available, someone will be using it. No patch is available yet so at minimum, switch to another browser; if you’re feeling a little more brave, switch to using another platform completely.
UPDATE: the list of platforms affected by this flaw, has now been expanded to include Windows 2000 and 2003, as well as any version of IE on those platforms including IE 6.