If your organization is running Internet Explorer on Windows 2000, Windows XP and/or Windows Server 2003, be aware that Microsoft recently issued a security advisory regarding a reported vulnerability in VBScript that can be exploited for the purpose of remote code execution via a malicious web site. It takes advantage of the way VBScript interacts with Windows Help files when you’re using IE. The exploit would require that the user press the F1 key while on the web site.
This could be especially dangerous if the user is logged on as an administrator, as many XP users routinely do. The attacker gains the user rights of the logged on user, and thus could take control of the entire system. One way to protect against this vulnerability on affected systems is to set Internet zone security settings to High and/or manually disabling Active Scripting. You can also modify the ACL on winhlp32.exe, but this will prevent users from being able to use the Help system.
For more information, see Microsoft’s Security Advisory 981169 at