Certain Web sites and HTML Help features may not work after you install security update 896358 or security update 890175 (892675)


The information in this article applies to:

  • Microsoft Windows Server 2003 SP1, when used with:
    • Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems
    • Microsoft Windows Server 2003, Datacenter Edition for Itanium-based Systems
    • Microsoft Windows Server 2003, Enterprise Edition
    • Microsoft Windows Server 2003, Datacenter Edition
    • Microsoft Windows Server 2003, Web Edition
  • Microsoft Windows Server 2003, Standard Edition
  • Microsoft Windows Server 2003, Standard x64 Edition
  • Microsoft Windows Server 2003, Datacenter x64 Edition
  • Microsoft Windows Server 2003, Enterprise x64 Edition
  • Microsoft Windows 2000 Advanced Server SP3
  • Microsoft Windows 2000 Datacenter Server SP3
  • Microsoft Windows 2000 Professional SP3
  • Microsoft Windows 2000 Server SP3
  • Microsoft Windows 2000 Advanced Server SP4
  • Microsoft Windows 2000 Datacenter Server SP4
  • Microsoft Windows 2000 Professional SP4
  • Microsoft Windows 2000 Server SP4
  • Microsoft Windows XP Service Pack 1
  • Microsoft Windows XP Service Pack 2
  • Microsoft Windows XP Professional 64-Bit Edition (Itanium) 2003
  • Microsoft Windows XP Professional 64-Bit Edition (Itanium)
  • Microsoft Windows XP 64-Bit Edition Version 2002 SP1
  • Microsoft Windows NT Server 4.0 SP6
  • Microsoft Windows NT Server 4.0 Terminal Server Edition SP6
  • Microsoft Windows Millennium Edition
  • Microsoft Windows 98 Second Edition
  • Microsoft Windows 98
Important This article contains information about how to modify the registry. Make sure to back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For information about how to back up, restore, and modify the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows registry

SYMPTOMS

After you install security update 896358 or security update 890175, you may experience one or more of the following symptoms:
  • Certain kinds of Web-based programs may not work correctly. For example, a table of contents in HTML Help may no longer work.
  • Certain HTML Help features may not work when you open a .chm file from a remote location. For example, the Related Topics feature may not work.
Note This article contains information that is supplemental to the following Microsoft Knowledge Base articles:

896358 MS05-026: A vulnerability in HTML Help could allow remote code execution

890175 MS05-001: Vulnerability in HTML Help could allow code execution

CAUSE

This problem occurs because security update 896358 and 890175 prevent HTML content that is outside the Local Machine zone from creating an instance of the HTML Help ActiveX control (HHCTRL). This change was introduced to reduce security vulnerabilities in HTML Help.

RESOLUTION

Warning The symptoms are an expected and intended effect of installing the security updates. This section provides examples for administrators who must re-enable the HTML Help ActiveX control for business-critical programs. The workarounds may make the computer more vulnerable to the threats the security updates address. The safest course is not to use the registry workarounds. If you must use workarounds, set the registry values to be as restrictive as possible.

Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall your operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.

The first of the following examples is the most restrictive example. The next examples are successively less restrictive.

Example 1: Use the UrlAllowList entry to enable specific URLs

Warning Include only URLs for sites that you trust.

The .reg file in this example re-enables hosting of the HTML Help ActiveX control in the following remote content:
  • Any .chm files that are in the \\productmanuals\helpfiles folder
  • A Web application that located at http://www.wingtiptoys.com/help.
Paste the following text in a text editor such as Notepad. Then, save the file by using the .reg file name extension.
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\HTMLHelp] 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\HTMLHelp\1.x\HHRestrictions]
"UrlAllowList"="\\\\productmanuals\\helpfiles;http://www.wingtiptoys.com/help/"
You cannot use wildcard characters in the URL string of any site that is added to the UrlAllowList registry key. For example, you cannot use the following URL string:

"UrlAllowList"="http://*.wingtiptoys.com"

However, you can use the following URL string:

"UrlAllowList"="http://help.wingtiptoys.com"

This string lets the following sites host the HTML Help ActiveX control:
  • http://help.wingtiptoys.com/research
  • http://help.wingtiptoys.com/sales

Example 2: Use the MaxAllowedZone entry to enable a security zone

Warning The MaxAllowedZone entry enables all sites in a particular zone. Using the UrlAllowList entry may be safer. If you must use the MaxAllowedZone entry, set the value no higher than is required. If you set the MaxAllowedZone value to 3 or higher, you expose systems to attack from the Internet.

Note By default, the value for the MaxAllowedZone entry is set to zero. The following table summarizes how different entries are interpreted by the value for the MaxAllowedZone entry.
MaxAllowedZoneLocal Machine zoneLocal intranet zoneTrusted sites zoneInternet zoneRestricted sites zone
0AllowedBlockedBlockedBlockedBlocked
1AllowedAllowedBlockedBlockedBlocked
2AllowedAllowedAllowedBlockedBlocked
3AllowedAllowedAllowedAllowedBlocked
4AllowedAllowedAllowedAllowedAllowed
Paste the following text in a text editor such as Notepad. Then, save the file by using the .reg file name extension. This .reg file lets all content in the Intranet zone host the HTML Help ActiveX control.
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\HTMLHelp]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\HTMLHelp\1.x\HHRestrictions]
"MaxAllowedZone"=dword:00000001

Example 3: Use the UrlAllowList entry and the MaxAllowedZone entry

Warning The MaxAllowedZone entry enables all sites in a particular zone. Using the UrlAllowList entry may be safer. If you must use the MaxAllowedZone entry, set the value no higher than is required. If you set the MaxAllowedZone value to 3 or higher, you expose systems to attack from the Internet.

Paste the following text in a text editor such as Notepad. Then, save the file by using the .reg file name extension. The following .reg file lets all content in the Intranet zone host the HTML Help ActiveX control. This .reg file also lets two Internet sites host the control.
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\HTMLHelp] 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\HTMLHelp\1.x\HHRestrictions]
"MaxAllowedZone"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\HTMLHelp\1.x\HHRestrictions]
"UrlAllowList"="http://www.wingtiptoys.com/;http://www.contoso.com/"

Deploying the registry keys across a domain

We recommend that you use Group Policy to deploy the settings that are mentioned in the examples in this article as startup scripts. You can also deploy these settings as logon scripts. However, this method is less desirable because of permissions constraints.

The following steps are an example of how to deploy the settings in Example 1 as a Group Policy startup script.
  1. Paste the following text into a text editor such as Notepad:
    REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\HTMLHelp]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\HTMLHelp\1.x\HHRestrictions]
"UrlAllowList"="http://myintranetapplication/help/helpfiles;http://www.wingtiptoys.com/help/helpdocuments"
  2. Save the file as a .reg file. Name the file AllowTrustedSites.reg.
  3. Paste the following text into a text editor such as Notepad:
    REGEDIT.EXE /S AllowTrustedSites.reg
  4. Save the file as a batch file. Name the file AllowTrustedSites.bat.
  5. Import the batch file into the Group Policy object (GPO). To do this, follow these steps:
    1. Paste the batch file that you created in step 4 and the .reg file that you created in step 2 to the \\DomainName\SysVol\DomainName\Policies\GUID of the selected GPO\Machine\Scripts\Startup folder.
    2. On the computer on which you want to run the Group Policy object, click Start, click Run, type dsa.msc, and then click OK.
    3. Right-click your domain, and then click Properties.
    4. Click Group Policy, and then click New.
    5. Type the name that you want to use for this policy, and then press ENTER.
    6. Click Edit.
    7. Expand Computer Configuration, expand Windows Settings, and then click Scripts (Startup/Shutdown).
    8. In the right panel, double-click Startup, and then click Add.
    9. Locate and then click the batch file that you created in step 4.
    10. Click Add.
    11. Click OK, click Yes, and then click OK two times.

MORE INFORMATION

If you download an HTML Help .chm file and either open it directly or save it locally and then open it, you may experience one or more of the following symptoms:
  • Certain kinds of Web-based programs may not work correctly. For example, a table of contents in HTML Help may no longer work.
  • Certain HTML Help features may not work when you open a .chm file from a remote location. For example, the Related Topics feature may not work.
For more informationhow to resolve this issue, click the following article number to view the article in the Microsoft Knowledge Base:

902225 You cannot open HTML Help files from Internet Explorer after you install security update 896358 or Windows Server 2003 Service Pack 1

Overview and examples for system administrators

For more information about security update 896358 and how you can re-enable Web applications that are affected by this update, click the following article number to view the article in the Microsoft Knowledge Base:

896358 MS05-026: A vulnerability in HTML Help could allow remote code execution

Internet Explorer security zones

For more information about how to use security zones in Internet Explorer, click the following article number to view the article in the Microsoft Knowledge Base:

174360 How to use security zones in Internet Explorer

Group Policy

For more information about Group Policy, visit the following Microsoft Web sites:

Technical support for x64-based versions of Microsoft Windows

On computers that are running x64-based versions of Microsoft Windows, you may have to adapt the instructions in the "Resolution" section about how to modify the registry. For example, you might have to modify a different part of the registry, depending on whether you want to modify the 32-bit or the 64-bit functionality. For more information, click the following article number to view the article in the Microsoft Knowledge Base:

896459 Registry changes in x64-based versions of Windows Server 2003 and in Windows XP Professional x64 Edition

If your hardware came with an x64-based version of Microsoft Windows already installed, your hardware manufacturer provides technical support and assistance for the x64-based version. In this case, your hardware manufacturer provides support because an x64-based version was included with your hardware. Your hardware manufacturer might have customized the x64-based version installation by using unique components. Unique components might include specific device drivers or might include optional settings to maximize the performance of the hardware. Microsoft will provide reasonable-effort assistance if you need technical help with an x64-based version. However, you might have to contact your manufacturer directly. Your manufacturer is best qualified to support the software that your manufacturer installed on the hardware. If you purchased an x64-based version such as an x64-based version of Microsoft Windows Server 2003 separately, contact Microsoft for technical support.

For product information about Microsoft Windows XP Professional x64 Edition, visit the following Microsoft Web site:

http://www.microsoft.com/windowsxp/64bit/default.mspx

For product information about x64-based versions of Microsoft Windows Server 2003, visit the following Microsoft Web site:

http://www.microsoft.com/windowsserver2003/64bit/x64/default.mspx

Modification Type:MinorLast Reviewed:10/13/2006
Keywords:kbtshoot kbRegistry kbprb KB892675 kbAudDeveloper kbAudITPRO
©2004 Microsoft Corporation. All rights reserved.