Microsoft KB Archive/896358

= MS05-026: A vulnerability in HTML Help could allow remote code execution =

Article ID: 896358

Article Last Modified on 10/11/2007

-

APPLIES TO

 Microsoft Windows Server 2003 SP1, when used with:  Microsoft Windows Server 2003, Standard Edition (32-bit x86)

 Microsoft Windows Server 2003, Enterprise Edition

 Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)

 Microsoft Windows Server 2003, Web Edition</li></ul>

 Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems</li></ul>

 Microsoft Windows Server 2003, Datacenter Edition for Itanium-Based Systems</li></ul> </li> Microsoft Windows Server 2003, Standard x64 Edition</li> Microsoft Windows Server 2003, Enterprise x64 Edition</li> Microsoft Windows Server 2003, Datacenter x64 Edition</li> Microsoft Windows XP for Itanium-based Systems Version 2003</li> Microsoft Windows XP Professional 64-Bit Edition (Itanium)</li> Microsoft Windows XP Professional x64 Edition</li> Microsoft Windows XP Service Pack 2</li> Microsoft Windows XP Service Pack 1</li> Microsoft Windows 2000 Advanced Server</li> Microsoft Windows 2000 Datacenter Server</li> Microsoft Windows 2000 Professional Edition</li> Microsoft Windows 2000 Service Pack 4</li> <li>Microsoft Windows 2000 Advanced Server</li> <li>Microsoft Windows 2000 Service Pack 3</li> <li>Microsoft Windows 2000 Service Pack 3</li> <li>Microsoft Windows 2000 Service Pack 3</li> <li>Microsoft Windows Millennium Edition</li> <li>Microsoft Windows 98 Second Edition</li> <li>Microsoft Windows 98 Standard Edition</li></ul>

-

<div class="notice_section">

<div class="summary_section">

SUMMARY
Microsoft has released security bulletin MS05-026. The security bulletin contains all the relevant information about the security update. This includes file information and deployment options. To view the complete security bulletin, visit the following Microsoft Web sites: <ul> <li>Home users:

http://www.microsoft.com/athome/security/update/bulletins/default.mspx

</li> <li>IT professionals:

http://www.microsoft.com/technet/security/bulletin/ms05-026.mspx

</li></ul>

Known issues
<ul> <li>After you install security update 896358, certain kinds of Web-based applications may not function correctly. For example, an HTML Help table of contents may no longer function. Additionally, certain HTML Help features, such as the Related Topics feature, may not work when the .chm file is opened from a remote location. For more information about this issue, click the following article number to view the article in the Microsoft Knowledge Base:

892675 Certain Web sites and HTML Help features may not work after you install security update 896358 or security update 890175

</li> <li>After you install security update 896358, the features of some Web applications no longer work correctly. For example, a topic may not appear when you click a link. Also, when you try to use a Universal Naming Convention (UNC) path to open a .chm file that is on a network shared folder, topics in the .chm file may not appear. For more information about this issue, click the following article number to view the article in the Microsoft Knowledge Base:

896054 You cannot open remote content by using the InfoTech protocol after you install security update 896358, security update 840315, or Windows Server 2003 Service Pack 1

</li> <li>After you install security update 896358, Web applications that use the HTML Help ActiveX control (HHCTRL) to enable cross-frame navigation may not work. For more information about this issue, click the following article number to view the article in the Microsoft Knowledge Base:

896905 After you install security update 896358, content that should be displayed in a different frame is displayed in the frame that contains the HTML Help ActiveX control

</li> <li>After you install security update 896358, you may have problems opening an HTML Help file from a hyperlink in Internet Explorer. For more information about this issue, click the following article number to view the article in the Microsoft Knowledge Base:

902225 You cannot open HTML Help files from Internet Explorer after you install security update 896358 or Windows Server 2003 Service Pack 1

</li> <li>After you install security update 896358, the HTML Help ActiveX control will no longer accept certain kinds of URLs in parameters. For more information about this issue, click the following article number to view the article in the Microsoft Knowledge Base:

905215 Some URL schemes are ignored when you use the URL schemes in the parameters of an HTML Help ActiveX control after you install security update 896358

</li></ul>

For more information about the latest service pack for Windows Server 2003, click the following article number to view the article in the Microsoft Knowledge Base:

889100 How to obtain the latest service pack for Windows Server 2003

<div class="whattotry_section">

Changes to HTML Help in security update 896358
Warning This article offers information about how to work around issues that are caused by the deployment of security update 896358. However, Microsoft makes no specific recommendations about which registry keys and values are right for your organization. Your IT department is the best judge of how to weigh the advantages of these workarounds against the risks of using them. The safest course is to use no registry workarounds at all.

The following are brief explanations of how update 896358 may affect Web applications.

Approaches to working around application compatibility issues in security update 896358
Security update 896358 supports some registry keys and registry entries that you can use to work around application compatibility issues. Use these questions to help decide which registry changes to make:
 * Does your organization require applications or scenarios that are affected by the changes that are described in this article?
 * How many applications are affected by the changes? How important are these applications?
 * How severe is the malfunction that is caused by the changes?
 * Can you modify the programs so that they do not have to use HTML Help functionality? For example, can your employees download .chm files instead of running them from file share? Can a Web application use a DHTML table of contents instead of using the HTML Help ActiveX control?
 * What are the security requirements and capabilities of your organization?
 * Which is more important, the HTML Help functionality that you are using, or making sure that your security is as strong as possible.
 * Are you considering enabling HTML Help technologies for use within your intranet, as discussed in the following examples? If you are, do external security measures, such as a corporate firewall, give you sufficient confidence to follow this course? Do you trust your employees enough that you are not worried about a system inside your organization being used to attack another?

Some examples of working with security update 896358
Warning The safest course is to use no registry workarounds at all. If you must use registry workarounds, set them as conservatively as possible. For example, use these methods:
 * Instead of using the MaxAllowedZone registry entry, use the UrlAllowList registry entry. Set UrlAllowList to enable as few sites as possible.
 * If you must use the MaxAllowedZone registry entry, set MaxAllowedZone no higher than you must. Setting MaxAllowedZone to 3 or higher exposes your systems to attack from the Internet.

After you have gathered the information about your organization's use of HTML Help, review the following examples to see if they are useful in helping you create a strategy to use as you apply security update 896358 within your organization.

An example of a conservative approach
A conservative approach could work if the following statements apply to your organization:
 * There are no known Web applications that use HTML Help technology.
 * Making security as strong as possible outweighs the requirement for applications and scenarios that use HTML Help to work correctly.
 * You have Web applications use HTML Help technology, but the owners of these applications can quickly modify these applications to use other technologies.
 * For any applications and scenarios that require HTML Help technology, you know or can quickly identify the application servers and file shares on which they are deployed. Also, you can provide sufficient protection for these application servers and file shares.
 * Nobody has to open .chm files from remote locations, such as file shares.

The following method is one example of a conservative approach: <ol> <li> Apply security update 896358. Then, use a Group Policy object to enforce restrictions.

By default, if you do not modify one or more of the registry entries after you install security update 896358, the security mitigations in security update 896358 will be as restrictive as possible. However, you can use a Group Policy object to prevent individual users from loosening the restrictions themselves.

The following registry file makes the security mitigations in security update 896358 as restrictive as possible: REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\HTMLHelp] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\HTMLHelp\1.x\HHRestrictions] &quot;MaxAllowedZone&quot;=dword:00000000 &quot;UrlAllowList&quot;=&quot;&quot;

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\HTMLHelp\1.x\ItssRestrictions] &quot;MaxAllowedZone&quot;=dword:00000000 &quot;UrlAllowList&quot;=&quot;&quot; If you know that your organization uses no Web applications that require HTML Help, and the users in your organization do not require access to remote .chm files, you can stop here. </li> <li>Research how Web applications use HTML Help. You may have heard from users that some internal Web applications are affected by the update. Contact the owners of these Web applications and see if they can reengineer features that require HTML Help technology. If the Web applications can do without HTML Help technology, you can stop here.</li> <li> Selectively enable Web applications. If you find that some Web applications must be able to use HTML Help functionality, you can selectively re-enable access to the servers that host those applications. The following registry file example re-enables the HTML Help ActiveX control and the InfoTech protocol for a specific site. This registry file example also re-enables cross-frame navigation by the HTML Help ActiveX control. REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\HTMLHelp]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\HTMLHelp\1.x\HHRestrictions] &quot;MaxAllowedZone&quot;=dword:00000000 &quot;UrlAllowList&quot;=&quot;http://contoso/salesapp/&quot; &quot;EnableFrameNavigationInSafeMode&quot;=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\HTMLHelp\1.x\ItssRestrictions] &quot;MaxAllowedZone&quot;=dword:00000000 &quot;UrlAllowList&quot;=&quot;http://contoso/salesapp/&quot; Note Users may still not be able to open .chm files directly from a link in a Web page. For more information about this issue and workarounds, click the following article number to view the article in the Microsoft Knowledge Base:

902225 You cannot open HTML Help files from Internet Explorer after you install security update 896358 or Windows Server 2003 Service Pack 1

</li></ol>

An example of a less conservative approach
This approach could work well if some of the following statements apply to your organization:
 * You are willing to accept additional risk in order to avoid having security update 896358 adversely affect your applications.
 * You cannot quickly identify all specific applications and scenarios that require HTML Help technology.
 * Web applications that use HTML Help technology are very important to your line of business. Also, you cannot quickly modify these applications to use other technologies.

The following method is one example of a less conservative approach: <ol> <li> Apply security update 896358. Then, use a Group Policy object to enforce restrictions.

The following registry file example lets all the systems in your intranet serve the HTML Help ActiveX control and content by using the InfoTech protocol. This registry file example also re-enables cross-frame navigation by the HTML Help ActiveX control. REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\HTMLHelp] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\HTMLHelp\1.x\HHRestrictions] &quot;MaxAllowedZone&quot;=dword:00000001 &quot;EnableFrameNavigationInSafeMode&quot;=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\HTMLHelp\1.x\ItssRestrictions] &quot;MaxAllowedZone&quot;=dword:00000001 Note Users may still not be able to open .chm files directly from a link in a Web page. For more information about this issue and workarounds, click the following article number to view the article in the Microsoft Knowledge Base:

902225 You cannot open HTML Help files from Internet Explorer after you install security update 896358 or Windows Server 2003 Service Pack 1

</li> <li>Research how Web applications use HTML Help. Determine which Web applications require HTML Help technology. Contact the owners of these Web applications and see if they can reengineer features that require HTML Help technology.</li> <li> Tune HTML Help settings based on research. If your research determines that the Web applications no longer need HTML Help technology, you can deploy the following registry file to establish the maximum restrictions that are supported by security update 896358: REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\HTMLHelp] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\HTMLHelp\1.x\HHRestrictions] &quot;MaxAllowedZone&quot;=dword:00000000 &quot;UrlAllowList&quot;=&quot;&quot;

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\HTMLHelp\1.x\ItssRestrictions] &quot;MaxAllowedZone&quot;=dword:00000000 &quot;UrlAllowList&quot;=&quot;&quot; If you find that some Web applications have to use HTML Help functionality, you can restrict the systems that are enabled to use the technology. The following registry file example restricts use of the HTML Help ActiveX control and the InfoTech protocol for specific intranet sites. This registry file example also continues to let the HTML Help ActiveX control navigate across frames. REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\HTMLHelp] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\HTMLHelp\1.x\HHRestrictions] &quot;MaxAllowedZone&quot;=dword:00000000 &quot;UrlAllowList&quot;=&quot;http://wingtiptoys/catalog/;\\wingtiptoys\help\helpfiles;&quot; &quot;EnableFrameNavigationInSafeMode&quot;=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\HTMLHelp\1.x\ItssRestrictions] &quot;MaxAllowedZone&quot;=dword:00000000 &quot;UrlAllowList&quot;=&quot;http://wingtiptoys/catalog/;\\wingtiptoys\help\helpfiles;file://\\wingtiptoys\help\helpfiles&quot; </li></ol>

Registry entries
The following table lists the HTML Help registry entries that this article discusses. The table also lists the Microsoft Knowledge Base article that you can see for more information.

Internet Explorer security zones
For more information about how to use security zones in Internet Explorer, click the following article number to view the article in the Microsoft Knowledge Base:

174360 How to use security zones in Internet Explorer

Group Policy
For more information about Group Policy, visit the following Microsoft Web sites: <ul> <li>Group Policy collection

http://technet2.microsoft.com/windowsserver/en/library/6d7cb788-b31d-4d17-9f1e-b5ddaa6deecd1033.mspx

</li> <li>Group Policy Object Editor

http://technet2.microsoft.com/windowsserver/en/library/47ba1311-6cca-414f-98c9-2d7f99fca8a31033.mspx

</li> <li>Core Group Policy tools and settings

http://technet2.microsoft.com/windowsserver/en/library/e926577a-5619-4912-b5d9-e73d4bdc94911033.mspx

</li></ul>

Microsoft provides programming examples for illustration only, without warranty either expressed or implied. This includes, but is not limited to, the implied warranties of merchantability or fitness for a particular purpose. This article assumes that you are familiar with the programming language that is being demonstrated and with the tools that are used to create and to debug procedures. Microsoft support engineers can help explain the functionality of a particular procedure, but they will not modify these examples to provide added functionality or construct procedures to meet your specific requirements.

Technical support for x64-based versions of Microsoft Windows
On computers that are running x64-based versions of Microsoft Windows, you may have to adapt the instructions in the &quot;Resolution&quot; section about how to modify the registry. For example, you might have to modify a different part of the registry, depending on whether you want to modify the 32-bit or the 64-bit functionality. For more information, click the following article number to view the article in the Microsoft Knowledge Base:

896459 Registry changes in x64-based versions of Windows Server 2003 and in Windows XP Professional x64 Edition

Your hardware manufacturer provides technical support and assistance for x64-based versions of Windows. Your hardware manufacturer provides support because an x64-based version of Windows was included with your hardware. Your hardware manufacturer might have customized the installation of Windows with unique components. Unique components might include specific device drivers or might include optional settings to maximize the performance of the hardware. Microsoft will provide reasonable-effort assistance if you need technical help with your x64-based version of Windows. However, you might have to contact your manufacturer directly. Your manufacturer is best qualified to support the software that your manufacturer installed on the hardware.

For product information about Microsoft Windows XP Professional x64 Edition, visit the following Microsoft Web site:

http://www.microsoft.com/windowsxp/64bit/default.mspx

For product information about x64-based versions of Microsoft Windows Server 2003, visit the following Microsoft Web site:

http://www.microsoft.com/windowsserver2003/64bit/x64/default.mspx

Additional query words: update security_patch security_update security bug flaw vulnerability malicious attacker exploit registry unauthenticated buffer overrun overflow specially-formed scope specially-crafted denial of service DoS TSE WinNT Win2000 HTML_Help InfoTech HHCTRL URP Compiled Help Module

Keywords: kbbug kbfix kbsecvulnerability kbqfe kbsecurity kbwinnt400presp7fix kbsecbulletin kbwinxppresp2fix kbpubtypekc kbwin2000presp5fix kbwinserv2003presp1fix kbhotfixserver kbwinserv2003sp2fix KB896358

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.