A proof of concept that details how arbitrary code can be run on a targeted machine by using VBScript in an .HLP file has been publicly posted. If a person with malicious intent hosts a specially crafted webpage, lures a computer user to that webpage and convinces him to press the F1 key, it could lead to remote code execution, announced the Microsoft Security Response Center (MSRC).

The good news is that no attacks exploiting this vulnerability have been spotted in the wild. The other good news is that Windows 7, Windows Vista, Windows Server 2008 and Windows Server 2008 R2 are not affected. Windows XP SP2 and SP3, and Windows Server 2003 SP2 are affected though.

“Windows Help files are an inherently unsafe file format. That means these files can run arbitrary code, thus the browser must prevent remote Windows Help files from executing automatically. VBScript functionality available from within Internet Explorer exposes the MsgBox function, allowing script on a web page to display a message to the user. The parameters supplied to the MsgBox function may reference an associated Window Help file, though this functionality is limited when VBScript is used within the browser. hough user interaction is required the F1 keyboard shortcut does enable an attack scenario. In the exploit, a file path enables a .HLP file to be loaded from the local filesystem, SMB, or WebDav,” explained David Ross, MSRC Engineering.

Microsoft’s investigation into this issue is ongoing. As Senior Security Communications Manager Lead with the MSRC, Jerry Bryant explained, the Redmond-based software giant will take appropriate action to protect its customers once the investigation has been completed. An out-of-band update may even be released if the situation calls for it. In the meanwhile Security Advisory 981169 has been posted online to offer Microsoft customers guidance on how to stay protected. A simple workaround would be to disable active scripting in IE for example. Or change the permission on winhlp32.exe.