Some URL schemes are ignored when you use the URL schemes in the parameters of an HTML Help ActiveX control after you install security update 896358 (905215)
The information in this article applies to:
- Microsoft Windows Server 2003 SP1, when used with:
- Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems
- Microsoft Windows Server 2003, Datacenter Edition for Itanium-based Systems
- Microsoft Windows Server 2003, Enterprise x64 Edition
- Microsoft Windows Server 2003, Standard x64 Edition
- Microsoft Windows Server 2003, Datacenter x64 Edition
- Microsoft Windows 2000 Advanced Server SP4
- Microsoft Windows 2000 Advanced Server SP3
- Microsoft Windows 2000 Server SP4
- Microsoft Windows 2000 Server SP3
- Microsoft Windows 2000 Datacenter Server SP4
- Microsoft Windows 2000 Professional SP4
- Microsoft Windows XP Professional 64-Bit Edition (Itanium)
- Microsoft Windows XP Professional 64-Bit Edition (Itanium) 2003
- Microsoft Windows Millennium Edition
- Microsoft Windows 98 Second Edition
Important This article contains information about how to modify the registry. Make sure to back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For information about how to back up, restore, and modify the registry, click the following article number to view the article in the Microsoft Knowledge Base: 256986 Description of the Microsoft Windows registry SYMPTOMSAfter you install security update 896358, some URL schemes
are ignored when you use the URL schemes in the parameters of an HTML Help
ActiveX control. Note This article contains information that is supplemental to the
following Microsoft Knowledge Base articles: 896358 MS05-026: A vulnerability in HTML Help could allow remote code execution
CAUSEThis issue occurs because security update 896358 includes
changes to the HTML Help ActiveX control. Previously, you could use any valid
URL scheme in a parameter tag. After you install security update 896358, only
the following URL schemes are supported:
- file
- http
- https
- ftp
- its
- ms-its
- mk:@msitstore
- hcp
Microsoft introduced this change to help reduce security
vulnerabilities in HTML Help. RESOLUTIONWarning The symptom is an expected and intended effect of installing the
security update. This section provides a workaround to re-enable additional
schemes for business-critical programs. This workaround may make the computer
more vulnerable to the threats that security update 896358 addresses. The
safest course is not to use this workaround. If you must use this workaround,
enable only those URL schemes that your business-critical programs
require. Warning Serious problems might occur if you modify the registry
incorrectly by using Registry Editor or by using another method. These problems
might require that you reinstall your operating system. Microsoft cannot
guarantee that these problems can be solved. Modify the registry at your own
risk. You can use the registry to re-enable URL schemes
that you want to use in HTML Help ActiveX control parameters. For example,
suppose you want to enable the news and mailto URL schemes for use in a See
Also control. Doing this would enable the See Also control to start newsgroups
and e-mail. The following .reg file re-enables these URL schemes. Note You can paste the following text in a text editor such as
Notepad. Then, you can save the file that uses the .reg file name extension.
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\HTMLHelp]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\HTMLHelp\1.x\HHRestrictions]
"ProtocolAllowList"="news:;mailto:"
Deploying the registry keys across a domainWe recommend that you use Group Policy to deploy the settings in
the examples earlier in this article as startup scripts. You can also deploy
these settings as logon scripts. However, this method is less desirable because
of permissions constraints. The following steps show one way to deploy
the settings in the first example as a Group Policy startup script.
- Paste the following text into a text editor such as
Notepad.
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\HTMLHelp]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\HTMLHelp\1.x\HHRestrictions]
"ProtocolAllowList"="news:;mailto:"
- Save the file. Name the file
AllowTrustedProtocols.reg.
- Paste the following text in a text editor such as Notepad.
REGEDIT.EXE /S AllowTrustedProtocols.reg - Save the file. Name the file
AllowTrustedProtocols.bat.
- Import this batch file into the Group Policy object (GPO).
To do this, follow these steps:
- Copy the batch file and the .reg file to the
\\DomainName\SysVol\DomainName\Policies\GUID
of the selected GPO\Machine\Scripts\Startup folder.
- On the computer on which you want to run the GPO, click
Start, click Run, type
dsa.msc, and then click OK.
- Right-click your domain, and then click
Properties.
- Click Group Policy, and then click
New.
- Type the name that you want to use for this policy, and
then press ENTER.
- Click Edit.
- Expand Computer Configuration, expand
Windows Settings, click Scripts
(Startup/Shutdown), double-click Startup in the right
panel, and then click Add in the Startup
Properties dialog box.
- Locate and then click the
AllowTrustedProtocols.bat file.
- Click Add.
- Click OK, click Yes,
click OK, and then click OK again.
Modification Type: | Major | Last Reviewed: | 2/28/2006 |
---|
Keywords: | kbSecurity kbtshoot kbprb KB905215 kbAudITPRO kbAudEndUser |
---|
|