Microsoft on Sunday confirmed it's investigating an unpatched bug in VBScript that hackers could exploit to plant malware on Windows XP machines running Internet Explorer (IE).
The flaw could be used by attackers to inject malicious code onto victims' PCs, said Maurycy Prodeus, the Polish security analyst with iSEC Security Research who revealed the vulnerability and posted attack code on Friday.
Users running IE7 or the newer IE8 are at risk, said Prodeus.
Microsoft noted it's already on the case. "Microsoft is investigating new public claims of a vulnerability involving the use of VBScript and Windows Help files within Internet Explorer," said Jerry Bryant, a senior manager with the Microsoft Security Response Center (MSRC), in an email Sunday. The current state of our investigations shows that Windows Vista, Windows 7, Windows Server 2008, and Windows Server 2008 R2, are not affected."
Bryant added that Microsoft has not yet seen any evidence of attacks exploiting the vulnerability.
Prodeus called the bug a "logic flaw," and said attackers could exploit it by feeding users malicious code disguised as a Windows help file - such files have a ".hlp" extension - then convincing them to press the F1 key when a pop-up appeared. He rated the vulnerability as "medium" because of the required user interaction.
"First an attacker needs to force a victim to visit a malicious web page," Prodeus said in an email Sunday. "The victim must be using Windows XP [and] Internet Explorer. A bit of social engineering is required to persuade the victim to push F1 button when [a] VBScript pop-up is displayed."
Another security researcher, Cesar Cerrudo, confirmed that Prodeus' proof-of-concept exploit works. "I tried the exploit and I can confirm it reliably works on IE8 with Windows XP fully patched," said Cerrudo, the head of Argeniss Information Security, an Argentinean security consultancy.
Cerrudo thought that the flaw was more serious than did Prodeus. "I would say the vulnerability is 'high severity,' not 'medium'," said Cerrudo in an email. "It's not critical since it needs user interaction, the user pressing F1 key when a message dialog is displayed. [But] I would say that there is a high probability a regular user will press F1 key if asked, since an attacker can annoy the user with hundred of messages telling the user to press F1 to continue."
According to Cerrudo, Prodeus' attack is successful because it abuses the VBScript "MsgBox()" function.
"Windows Help files are included in a long list of what we refer to as 'unsafe file types'," acknowledged Microsoft's Bryant in a follow-up on the MSRC blog later on Sunday. "These are file types that are designed to invoke automatic actions during normal use of the files. While they can be very valuable productivity tools, they can also be used by attackers to try and compromise a system."
Bryant didn't provide a timeline for a fix, but used Microsoft boilerplate in his e-mail to say that the company might address the vulnerability with a regularly-scheduled fix, a so-called "out-of-band" update or other guidance.
Microsoft's next scheduled security release date is 9 March.
Although Microsoft has not yet recommended any defensive steps Windows XP users can take until a patch is available, Prodeus said blocking the outbound TCP port 445 would stymie attacks. "However, it is worth to note that blocking this port doesn't solve the problem, because there might be [an]other attacking vector, for example, uploading an arbitrary file to the victim's machine at known path location using some third-party browser plug-ins," he said.
Another workaround, said Cerrudo in a Friday tweet, is to ditch IE for another browser.