An unconscious press F1 button can be enough.
Microsoft has received reports of a vulnerability in Windows 2000, Windows XP and Windows Server 2003 that can give unauthorized access to execute arbitrary code on the vulnerable system. The vulnerability will not be used in newer Windows versions.
The vulnerability is related to how VBScript works with Windows Help files using Internet Explorer.
If a malicious Web page displays a specially designed dialog and the user press the F1 key, the arbitrary code execution with the same privileges as the logged-on user.
In an attempt to exploit the vulnerability, the attacker must try to persuade the user to press the F1 key. Utilization should not be done without the user disappointed to help out.
Exploitation of the vulnerability can be prevented if the Internet Explorer Enhanced Security Configuration is enabled, which is the default setting on Windows Server 2003.
This can also be activated via the command line in the other, affected Windows versions using the following command:
echo Y | cacls "% windir% \ WinHlp32.exe" / E / P everyone: N
Microsoft is still investigating the vulnerability and is currently no security fix ready.
It is unlikely that a security fix will be finished by next routine release, which is Tuesday in a week. However, Microsoft considers to be an extraordinary release, if it turns out that the vulnerability actively exploited in the attack.
End Of Post.