Recently, there have been lots of blog posts and articles about the discovery of a bug relating to F1 key. So, what is the nature of this issue?

From our research, there are two, not just one, such holes. Both holes relate to Windows’ help files processing mechanism but are different in their essence.

One hole arises from the parameter transmission mechanism of MsgBox() function in VBScript. Help file (.hlp), transmitted as this function’s forth parameter, will be opened with Windows Help (winhlp32.exe) if users press F1 button on MessageBox window. The other hole involves the execution of Windows Html Help (.chm)

VBScript’s vulnerability  in Windows Help (winhlp32.exe)

On Windows versions prior to Vista, winhlp32.exe is the program supporting .hlp help files display (winhlp32.exe is not a built-in program on Windows Vista and later Windows versions).

A .hlp file is a compilation of Help Project File (.hpj) and text files (.rtf - Rich Text Format), and sometimes other data files. Among which, .hpj file is in charge of linking data and defining the structure of the help file to be generated.

EF Macro (ExecFile) in [CONFIG] field of project file (.hpj) makes Windows Help program, when running corresponding help file, open other files in accordance with this macro’s parameter. Theoretically, this assists help files to track and run supplementary files. However, because the program does not check the format of the input file to EF Macro before inserting it to the call for API ShellExecute() function, winhlp32.3xe might run any executable files via ShellExecute () instead of opening just another .hlp one. This means the running of a .hlp file might always cause Windows Helps to execute arbitrary commands.

Example of a .hpj file’s summoning executable file calc.exe

This feature, together with characteristic of MsgBox() function in VBScript, allows bad guys to remotely attack a computer. Specifically, on a website, hackers will insert a VBScript code containing call for MsgBox() function, of which the first parameter is a message enticing users to press F1, and the forth parameter points to the help file prepared for the exploitation. Then, if users open that website with Internet Explorer (IE) and press F1 after seeing the message box, Windows Help will be utilized to open the help file (.hlp) sent through MsgBox function. It means the malicious code will be executed.

Vulnerability in .chm processing module

While .hlp help files are run by winhlp32.exe, Microsoft Windows Html Help (.chm) is processed by hh.exe.

Like .hlp, .chm format is the combination of different files: html (help content), .hhc (index), .hhk (index). The flaw is found in the processing of *.hhc, which might contain JavaScript code and hh.exe will run that script before executing arbitrary code.

A sample of index file (.hhc) inserted with JavaScript code; the code will execute file script.vbs

The content of file script.vbs running calc.exe

So, a .chm file also hides a potential threat to users’ computers. To remotely exploit this hole, hackers will take advantage of a .chm supporting program, for example notepad.exe and then trick users in pressing F1 when opening .txt file in the same folder with the prepared .chm file. When this help file runs, the hidden malicious code will be executed.


Microsoft has not released patches for these two holes yet. Hence, to ensure the security for computers, users should avoid pressing F1 when seeing request from a certain website or a document. At the same time, pay attention to update patches when they are issued.

Author: Le Manh Tung

Leave a Reply

Name (required)
Mail (hidden) (required)
Text to Identify

Popup Date Time Portlet

Blogs Aggregator

Recent Posts

Blog Category Portlet


Store Portlet


Vote Baby Portlet