MS05-026: A vulnerability in HTML Help could allow remote code execution (896358)
The information in this article applies to:
- Microsoft Windows Server 2003 SP1, when used with:
- Microsoft Windows Server 2003, Standard Edition
- Microsoft Windows Server 2003, Enterprise Edition
- Microsoft Windows Server 2003, Datacenter Edition
- Microsoft Windows Server 2003, Web Edition
- Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems
- Microsoft Windows Server 2003, Datacenter Edition for Itanium-based Systems
- Microsoft Windows Server 2003, Standard x64 Edition
- Microsoft Windows Server 2003, Enterprise x64 Edition
- Microsoft Windows Server 2003, Datacenter x64 Edition
- Microsoft Windows XP Professional 64-Bit Edition (Itanium) 2003
- Microsoft Windows XP Professional 64-Bit Edition (Itanium)
- Microsoft Windows XP Professional x64 Edition
- Microsoft Windows XP Service Pack 2
- Microsoft Windows XP Service Pack 1
- Microsoft Windows 2000 Advanced Server SP4
- Microsoft Windows 2000 Datacenter Server SP4
- Microsoft Windows 2000 Professional SP4
- Microsoft Windows 2000 Server SP4
- Microsoft Windows 2000 Advanced Server SP3
- Microsoft Windows 2000 Datacenter Server SP3
- Microsoft Windows 2000 Professional SP3
- Microsoft Windows 2000 Server SP3
- Microsoft Windows Millennium Edition
- Microsoft Windows 98 Second Edition
- Microsoft Windows 98
SUMMARYMicrosoft has released security bulletin MS05-026. The
security bulletin contains all the relevant information about the security
update. This includes file information and deployment options. To view the
complete security bulletin, visit the following Microsoft Web sites:
- Home users:
- IT professionals:
Known issues- After you install security update 896358, certain kinds of
Web-based applications may not function correctly. For example, an HTML Help
table of contents may no longer function. Additionally, certain HTML Help
features, such as the Related Topics feature, may not work when the .chm file
is opened from a remote location.
For more information about this issue, click the
following article number to view the article in the Microsoft Knowledge Base:
892675
Certain Web sites and HTML Help features may not work after you install security update 896358 or security update 890175
- After you install security update 896358, the features of
some Web applications no longer work correctly. For example, a topic may not
appear when you click a link. Also, when you try to use a Universal Naming
Convention (UNC) path to open a .chm file that is on a network shared folder,
topics in the .chm file may not appear. For more information about this issue, click the following
article number to view the article in the Microsoft Knowledge Base:
896054
You cannot open remote content by using the InfoTech protocol after you install security update 896358, security update 840315, or Windows Server 2003 Service Pack 1
- After you install security update 896358, Web applications
that use the HTML Help ActiveX control (HHCTRL) to enable cross-frame
navigation may not work. For more information about this issue, click
the following article number to view the article in the Microsoft Knowledge
Base:
896905
After you install security update 896358, content that should be displayed in a different frame is displayed in the frame that contains the HTML Help ActiveX control
- After you install security update 896358, you may have
problems opening an HTML Help file from a hyperlink in Internet Explorer.
For more information about this issue,
click the following article number to view the article in the Microsoft
Knowledge Base:
902225
You cannot open HTML Help files from Internet Explorer after you install security update 896358 or Windows Server 2003 Service Pack 1
- After you install security update 896358, the HTML Help
ActiveX control will no longer accept certain kinds of URLs in
parameters. For more information about this
issue, click the following article number to view the article in the Microsoft
Knowledge Base:
905215
Some URL schemes are ignored when you use the URL schemes in the parameters of an HTML Help ActiveX control after you install security update 896358
THINGS TO TRYChanges to HTML Help in security update 896358Warning This article offers information about how to work around issues
that are caused by the deployment of security update 896358. However, Microsoft
makes no specific recommendations about which registry keys and values are
right for your organization. Your IT department is the best judge of how to
weigh the advantages of these workarounds against the risks of using them. The
safest course is to use no registry workarounds at all. The following
are brief explanations of how update 896358 may affect Web applications.
|
The InfoTech Protocol is blocked from accessing remote
content | The InfoTech protocol could display remote content, except on
Windows Server 2003 Service Pack 1 (SP1), where this display was
blocked. | All operating systems are blocked from using the InfoTech
protocol to display remote content. | 896054 You cannot open remote content by using the InfoTech protocol after you install security update 896358, security update 840315, or Windows Server 2003 Service Pack 1
| Use of the HTML Help ActiveX control is blocked in remote
content | Security update 890175 blocked the use of the HTML Help ActiveX
control in remote content that is shown in an application other than HTML Help.
For example, the control is blocked in Internet Explorer. | The HTML Help
ActiveX control is now also blocked within the HTML Help
application. | 892675 Certain Web sites and HTML Help features may not work after you install security update 896358 or security update 890175
| Use of the HTML Help ActiveX control to display content in
another frame is blocked | Security update 890175 blocked the use of the
HTML Help ActiveX control in remote content that is shown in an application
other than HTML Help. For example, the control was blocked in Internet
Explorer. | Web applications that use the HTML Help ActiveX control to
enable cross-frame navigation will not work correctly. The content that should
appear in a different frame appears in the frame that contains the HTML Help
ActiveX control. | 896905 After you install security update 896358, content that should be displayed in a different frame is displayed in the frame that contains the HTML Help ActiveX control
| .chm files cannot be opened from Internet Explorer | No
issue. | When you use Internet Explorer to open a .chm file, the topic
does not display.
After you use Internet Explorer to save a .chm
file, some users may have some trouble opening the file because of Attachment
Manager protections. | 902225 You cannot open HTML Help files from Internet Explorer after you install security update 896358 or Windows Server 2003 Service Pack 1
| Some URL schemes are ignored when you use the URL schemes in
the parameters of an HTML Help ActiveX control. | Any scheme was
permitted in HTML Help ActiveX control parameters. | All schemes except
the following are ignored by the HTML Help ActiveX control: file, http, https,
ftp, its, ms-its, mk:@msitstore, Hcp. | 905215 Some URL schemes are ignored when you use the URL schemes in the parameters of an HTML Help ActiveX control after you install security update 896358
|
Approaches to working around application compatibility issues in security update 896358Security update 896358 supports some registry keys and registry
entries that you can use to work around application compatibility issues. Use
these questions to help decide which registry changes to make:
- Does your organization require applications or scenarios
that are affected by the changes that are described in this article?
- How many applications are affected by the changes? How
important are these applications?
- How severe is the malfunction that is caused by the
changes?
- Can you modify the programs so that they do not have
to use HTML Help functionality? For example, can your employees download .chm
files instead of running them from file share? Can a Web application use a
DHTML table of contents instead of using the HTML Help ActiveX
control?
- What are the security requirements and capabilities of your
organization?
- Which is more important, the HTML Help functionality
that you are using, or making sure that your security is as strong as
possible.
- Are you considering enabling HTML Help technologies for
use within your intranet, as discussed in the following examples? If you are,
do external security measures, such as a corporate firewall, give you
sufficient confidence to follow this course? Do you trust your employees enough
that you are not worried about a system inside your organization being used to
attack another?
Some examples of working with security update 896358Warning The safest course is to use no registry workarounds at all. If
you must use registry workarounds, set them as conservatively as possible. For
example, use these methods:
- Instead of using the MaxAllowedZone registry entry, use the
UrlAllowList registry entry. Set UrlAllowList to enable as few sites as
possible.
- If you must use the MaxAllowedZone registry entry, set
MaxAllowedZone no higher than you must. Setting MaxAllowedZone to 3 or higher
exposes your systems to attack from the Internet.
After you have gathered the information about your
organization's use of HTML Help, review the following examples to see if they
are useful in helping you create a strategy to use as you apply security update
896358 within your organization. An example of a conservative approachA conservative approach could work if the following statements
apply to your organization:
- There are no known Web applications that use HTML Help
technology.
- Making security as strong as possible outweighs the
requirement for applications and scenarios that use HTML Help to work
correctly.
- You have Web applications use HTML Help technology, but the
owners of these applications can quickly modify these applications to use other
technologies.
- For any applications and scenarios that require HTML Help
technology, you know or can quickly identify the application servers and file
shares on which they are deployed. Also, you can provide sufficient protection
for these application servers and file shares.
- Nobody has to open .chm files from remote locations, such
as file shares.
The following method is one example of a conservative approach:
- Apply security update 896358. Then, use a Group Policy
object to enforce restrictions.
By default, if you do not modify one
or more of the registry entries after you install security update 896358, the
security mitigations in security update 896358 will be as restrictive as
possible. However, you can use a Group Policy object to prevent individual
users from loosening the restrictions themselves.
The following
registry file makes the security mitigations in security update 896358 as
restrictive as possible:
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\HTMLHelp]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\HTMLHelp\1.x\HHRestrictions]
"MaxAllowedZone"=dword:00000000
"UrlAllowList"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\HTMLHelp\1.x\ItssRestrictions]
"MaxAllowedZone"=dword:00000000
"UrlAllowList"="" If you know that your organization uses no Web applications that require
HTML Help, and the users in your organization do not require access to remote
.chm files, you can stop here. - Research how Web applications use HTML Help. You may have
heard from users that some internal Web applications are affected by the
update. Contact the owners of these Web applications and see if they can
reengineer features that require HTML Help technology. If the Web applications
can do without HTML Help technology, you can stop here.
- Selectively enable Web applications. If you find that some
Web applications must be able to use HTML Help functionality, you can
selectively re-enable access to the servers that host those applications. The
following registry file example re-enables the HTML Help ActiveX control and
the InfoTech protocol for a specific site. This registry file example also
re-enables cross-frame navigation by the HTML Help ActiveX control.
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\HTMLHelp]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\HTMLHelp\1.x\HHRestrictions]
"MaxAllowedZone"=dword:00000000
"UrlAllowList"="http://contoso/salesapp/"
"EnableFrameNavigationInSafeMode"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\HTMLHelp\1.x\ItssRestrictions]
"MaxAllowedZone"=dword:00000000
"UrlAllowList"="http://contoso/salesapp/" Note Users may still not be able to open .chm files directly from a
link in a Web page.
For more
information about this issue and workarounds, click the following article
number to view the article in the Microsoft Knowledge Base: 902225
You cannot open HTML Help files from Internet Explorer after you install security update 896358 or Windows Server 2003 Service Pack 1
An example of a less conservative approachThis approach could work well if some of the following statements
apply to your organization:
- You are willing to accept additional risk in order to avoid
having security update 896358 adversely affect your applications.
- You cannot quickly identify all specific applications and
scenarios that require HTML Help technology.
- Web applications that use HTML Help technology are very
important to your line of business. Also, you cannot quickly modify these
applications to use other technologies.
The following method is one example of a less conservative
approach:
- Apply security update 896358. Then, use a Group Policy
object to enforce restrictions.
The following registry file example
lets all the systems in your intranet serve the HTML Help ActiveX control and
content by using the InfoTech protocol. This registry file example also
re-enables cross-frame navigation by the HTML Help ActiveX control.
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\HTMLHelp]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\HTMLHelp\1.x\HHRestrictions]
"MaxAllowedZone"=dword:00000001
"EnableFrameNavigationInSafeMode"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\HTMLHelp\1.x\ItssRestrictions]
"MaxAllowedZone"=dword:00000001 Note Users may still not be able to open .chm files directly from a
link in a Web page.
For more information about this issue and workarounds, click the following article number to view the article in the Microsoft Knowledge Base:
902225
You
cannot open HTML Help files from Internet Explorer after you install security
update 896358 or Windows Server 2003 Service Pack 1
- Research how Web applications use HTML Help. Determine
which Web applications require HTML Help technology. Contact the owners of
these Web applications and see if they can reengineer features that require
HTML Help technology.
- Tune HTML Help settings based on research. If your research
determines that the Web applications no longer need HTML Help technology, you
can deploy the following registry file to establish the maximum restrictions
that are supported by security update 896358:
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\HTMLHelp]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\HTMLHelp\1.x\HHRestrictions]
"MaxAllowedZone"=dword:00000000
"UrlAllowList"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\HTMLHelp\1.x\ItssRestrictions]
"MaxAllowedZone"=dword:00000000
"UrlAllowList"="" If you find that some Web applications have to use HTML Help
functionality, you can restrict the systems that are enabled to use the
technology. The following registry file example restricts use of the HTML Help
ActiveX control and the InfoTech protocol for specific intranet sites. This
registry file example also continues to let the HTML Help ActiveX control
navigate across frames.
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\HTMLHelp]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\HTMLHelp\1.x\HHRestrictions]
"MaxAllowedZone"=dword:00000000
"UrlAllowList"="http://wingtiptoys/catalog/;\\wingtiptoys\help\helpfiles;"
"EnableFrameNavigationInSafeMode"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\HTMLHelp\1.x\ItssRestrictions]
"MaxAllowedZone"=dword:00000000
"UrlAllowList"="http://wingtiptoys/catalog/;\\wingtiptoys\help\helpfiles;file://\\wingtiptoys\help\helpfiles"
Registry entriesThe following table lists the HTML Help registry entries that this
article discusses. The table also lists the Microsoft Knowledge Base article
that you can see for more information.
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\HTMLHelp\1.x\HHRestrictions\MaxAllowedZone | 892675 Certain Web sites and HTML Help
features may not work after you install security update 896358 or security
update 890175
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\HTMLHelp\1.x\HHRestrictions\UrlAllowList | 892675 Certain Web sites and HTML Help
features may not work after you install security update 896358 or security
update 890175
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\HTMLHelp\1.x\HHRestrictions\EnableFrameNavigationInSafeMode | 896905 After you install security update
896358, content that should be displayed in a different frame is displayed in
the frame that contains the HTML Help ActiveX control
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\HTMLHelp\1.x\ItssRestrictions\MaxAllowedZone | 896054 You cannot open remote content by
using the InfoTech protocol after you install security update 896358, security
update 840315, or Windows Server 2003 Service Pack 1
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\HTMLHelp\1.x\ItssRestrictions\UrlAllowList | 896054 You cannot open remote content by
using the InfoTech protocol after you install security update 896358, security
update 840315, or Windows Server 2003 Service Pack 1
|
Internet Explorer security zones
For more information about how to use security zones in Internet
Explorer, click the following article number to view the article in the Microsoft Knowledge Base:
174360
How to use security zones in
Internet Explorer
Group PolicyFor more information about Group Policy, visit the following
Microsoft Web sites:
- Group Policy collection
- Group Policy Object Editor
- Core Group Policy tools and settings
Microsoft
provides programming examples for illustration only, without warranty either
expressed or implied. This includes, but is not limited to, the implied
warranties of merchantability or fitness for a particular purpose. This article
assumes that you are familiar with the programming language that is being
demonstrated and with the tools that are used to create and to debug
procedures. Microsoft support engineers can help explain the functionality of a
particular procedure, but they will not modify these examples to provide added
functionality or construct procedures to meet your specific requirements.
Technical support for x64-based versions of Microsoft Windows On computers that are running x64-based versions of Microsoft
Windows, you may have to adapt the instructions in the
"Resolution" section about how to modify the registry. For example, you might
have to modify a different part of the registry, depending on whether you want
to modify the 32-bit or the 64-bit functionality.
For more information, click the following article number to view the article in the Microsoft Knowledge Base:
896459
Registry changes in x64-based versions of Windows Server 2003 and in Windows XP Professional x64 Edition
Your hardware manufacturer provides
technical support and assistance for x64-based versions
of Windows. Your hardware manufacturer provides
support because an x64-based version of Windows was included with your hardware. Your hardware manufacturer might have
customized the installation of Windows with unique components.
Unique components might include specific device drivers or might include
optional settings to maximize the performance of the hardware. Microsoft will
provide reasonable-effort assistance if you need technical help with your
x64-based version of Windows. However, you might have to contact your
manufacturer directly. Your manufacturer is best qualified to support the
software that your manufacturer installed on the hardware. For product
information about Microsoft Windows XP Professional x64 Edition, visit the
following Microsoft Web site: For product information about x64-based versions of Microsoft
Windows Server 2003, visit the following Microsoft Web site:
Modification Type: | Minor | Last Reviewed: | 7/26/2006 |
---|
Keywords: | kbQFE kbSecurity KbSECBulletin KbSECVulnerability kbWinXPpreSP2fix kbBug kbfix kbWinServ2003preSP1fix kbWin2000preSP5fix kbWinNT400PreSP7Fix kbHotfixServer kbpubtypekc KB896358 kbAudEndUser kbAudITPRO |
---|
|
|
©2004 Microsoft Corporation. All rights reserved.
|
|