Apparently there is a new zero-day flaw that affects Windows XP and 2000 computers utilizing VBScript. An attacker can trick someone into visiting a website that binds the F1 key to a VBScript event which ultimately installs malicious code on your machine. Microsoft’s fix: Don’t press the F1 key when windows pop up. LOL. Ok I’m being arrogant but seriously, that was on their list! The VBCript global method called MsgBox() is used for the pop-up message which convinces the user into pressing the F1 key. A Microsoft help (.hlp) files is attached to the F1 event and is what contains the exploit. Users running IE7 or the newer IE8 with a fully patches Windows XP are at risk.

The advisory (by Microsoft) includes several workarounds, including advice to avoid pressing the F1 key when prompted by a Web site, restricting access to the Windows Help System, setting Internet and Local intranet security zone settings to “high” to block ActiveX Controls and Active Scripting, and configuring IE to prompt before running Active Scripting or disable Active Scripting in the Internet and Local intranet security zone.

-CNET