Users got another reason to switch to Windows 7 today when Microsoft announced that a VBScript bug could be used to install malware on computers running Internet Explorer and Windows XP.
The hole was discovered by Maurycy Prodeus of iSEC Security Research, who posted a proof-of-concept hack this past Friday.
Unlike the high-profile bug that started forcing Google to disable its apps in IE6 in January, this issue affects Windows XP users running Internet Explorer 7 and Internet Explorer 8. Microsoft has said that users running Windows Vista, Windows 7, Windows Server 2008, and Windows Server 2008 R2 are safe from the exploit.
To make use of the security whole, a malware writer would have to get a user to open a malicious Windows Help (.hlp) file, and press F1 to allow it to run.
Microsoft has not said when a patch will be released to fix this problem, but has not yet seen evidence of any attackers exploiting the hole. Microsoft’s next batch of security updates come out on Patch Tuesday, March 9, but the company has been known to release out-of-band security updates to patch holes like this one in the past.
My recommendation to users, as always, is to ditch Windows XP for Windows 7 and Internet Explorer for Firefox or Google Chrome, which are both fully-featured and excellent alternatives.
