Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

MS05-026: A vulnerability in HTML Help could allow remote code execution


View products that this article applies to.

Summary

Microsoft has released security bulletin MS05-026. The security bulletin contains all the relevant information about the security update. This includes file information and deployment options. To view the complete security bulletin, visit the following Microsoft Web sites:

Known issues

  • After you install security update 896358, certain kinds of Web-based applications may not function correctly. For example, an HTML Help table of contents may no longer function. Additionally, certain HTML Help features, such as the Related Topics feature, may not work when the .chm file is opened from a remote location.
    For more information about this issue, click the following article number to view the article in the Microsoft Knowledge Base:
    892675 Certain Web sites and HTML Help features may not work after you install security update 896358 or security update 890175

  • After you install security update 896358, the features of some Web applications no longer work correctly. For example, a topic may not appear when you click a link. Also, when you try to use a Universal Naming Convention (UNC) path to open a .chm file that is on a network shared folder, topics in the .chm file may not appear. For more information about this issue, click the following article number to view the article in the Microsoft Knowledge Base:
    896054 You cannot open remote content by using the InfoTech protocol after you install security update 896358, security update 840315, or Windows Server 2003 Service Pack 1

  • After you install security update 896358, Web applications that use the HTML Help ActiveX control (HHCTRL) to enable cross-frame navigation may not work. For more information about this issue, click the following article number to view the article in the Microsoft Knowledge Base:
    896905 After you install security update 896358, content that should be displayed in a different frame is displayed in the frame that contains the HTML Help ActiveX control

  • After you install security update 896358, you may have problems opening an HTML Help file from a hyperlink in Internet Explorer.
    For more information about this issue, click the following article number to view the article in the Microsoft Knowledge Base:
    902225 You cannot open HTML Help files from Internet Explorer after you install security update 896358 or Windows Server 2003 Service Pack 1

  • After you install security update 896358, the HTML Help ActiveX control will no longer accept certain kinds of URLs in parameters. For more information about this issue, click the following article number to view the article in the Microsoft Knowledge Base:
    905215 Some URL schemes are ignored when you use the URL schemes in the parameters of an HTML Help ActiveX control after you install security update 896358

For more information about the latest service pack for Windows Server 2003, click the following article number to view the article in the Microsoft Knowledge Base:
889100 How to obtain the latest service pack for Windows Server 2003

↑ Back to the top


What To Try

Changes to HTML Help in security update 896358

Warning This article offers information about how to work around issues that are caused by the deployment of security update 896358. However, Microsoft makes no specific recommendations about which registry keys and values are right for your organization. Your IT department is the best judge of how to weigh the advantages of these workarounds against the risks of using them. The safest course is to use no registry workarounds at all.

The following are brief explanations of how update 896358 may affect Web applications.
IssueBehavior before security update 896358Behavior after security update 896358Microsoft Knowledge Base article that has more information and workarounds
The InfoTech Protocol is blocked from accessing remote contentThe InfoTech protocol could display remote content, except on Windows Server 2003 Service Pack 1 (SP1), where this display was blocked.All operating systems are blocked from using the InfoTech protocol to display remote content.
896054 You cannot open remote content by using the InfoTech protocol after you install security update 896358, security update 840315, or Windows Server 2003 Service Pack 1

Use of the HTML Help ActiveX control is blocked in remote contentSecurity update 890175 blocked the use of the HTML Help ActiveX control in remote content that is shown in an application other than HTML Help. For example, the control is blocked in Internet Explorer.The HTML Help ActiveX control is now also blocked within the HTML Help application.
892675 Certain Web sites and HTML Help features may not work after you install security update 896358 or security update 890175

Use of the HTML Help ActiveX control to display content in another frame is blocked Security update 890175 blocked the use of the HTML Help ActiveX control in remote content that is shown in an application other than HTML Help. For example, the control was blocked in Internet Explorer.Web applications that use the HTML Help ActiveX control to enable cross-frame navigation will not work correctly. The content that should appear in a different frame appears in the frame that contains the HTML Help ActiveX control.
896905 After you install security update 896358, content that should be displayed in a different frame is displayed in the frame that contains the HTML Help ActiveX control

.chm files cannot be opened from Internet ExplorerNo issue.When you use Internet Explorer to open a .chm file, the topic does not display.

After you use Internet Explorer to save a .chm file, some users may have some trouble opening the file because of Attachment Manager protections.
902225 You cannot open HTML Help files from Internet Explorer after you install security update 896358 or Windows Server 2003 Service Pack 1

Some URL schemes are ignored when you use the URL schemes in the parameters of an HTML Help ActiveX control.Any scheme was permitted in HTML Help ActiveX control parameters.All schemes except the following are ignored by the HTML Help ActiveX control: file, http, https, ftp, its, ms-its, mk:@msitstore, Hcp.
905215 Some URL schemes are ignored when you use the URL schemes in the parameters of an HTML Help ActiveX control after you install security update 896358

Approaches to working around application compatibility issues in security update 896358

Security update 896358 supports some registry keys and registry entries that you can use to work around application compatibility issues. Use these questions to help decide which registry changes to make:
  • Does your organization require applications or scenarios that are affected by the changes that are described in this article?
    • How many applications are affected by the changes? How important are these applications?
    • How severe is the malfunction that is caused by the changes?
    • Can you modify the programs so that they do not have to use HTML Help functionality? For example, can your employees download .chm files instead of running them from file share? Can a Web application use a DHTML table of contents instead of using the HTML Help ActiveX control?
  • What are the security requirements and capabilities of your organization?
    • Which is more important, the HTML Help functionality that you are using, or making sure that your security is as strong as possible.
    • Are you considering enabling HTML Help technologies for use within your intranet, as discussed in the following examples? If you are, do external security measures, such as a corporate firewall, give you sufficient confidence to follow this course? Do you trust your employees enough that you are not worried about a system inside your organization being used to attack another?

Some examples of working with security update 896358

Warning The safest course is to use no registry workarounds at all. If you must use registry workarounds, set them as conservatively as possible. For example, use these methods:
  • Instead of using the MaxAllowedZone registry entry, use the UrlAllowList registry entry. Set UrlAllowList to enable as few sites as possible.
  • If you must use the MaxAllowedZone registry entry, set MaxAllowedZone no higher than you must. Setting MaxAllowedZone to 3 or higher exposes your systems to attack from the Internet.
After you have gathered the information about your organization's use of HTML Help, review the following examples to see if they are useful in helping you create a strategy to use as you apply security update 896358 within your organization.

An example of a conservative approach

A conservative approach could work if the following statements apply to your organization:
  • There are no known Web applications that use HTML Help technology.
  • Making security as strong as possible outweighs the requirement for applications and scenarios that use HTML Help to work correctly.
  • You have Web applications use HTML Help technology, but the owners of these applications can quickly modify these applications to use other technologies.
  • For any applications and scenarios that require HTML Help technology, you know or can quickly identify the application servers and file shares on which they are deployed. Also, you can provide sufficient protection for these application servers and file shares.
  • Nobody has to open .chm files from remote locations, such as file shares.
The following method is one example of a conservative approach:
  1. Apply security update 896358. Then, use a Group Policy object to enforce restrictions.

    By default, if you do not modify one or more of the registry entries after you install security update 896358, the security mitigations in security update 896358 will be as restrictive as possible. However, you can use a Group Policy object to prevent individual users from loosening the restrictions themselves.

    The following registry file makes the security mitigations in security update 896358 as restrictive as possible:
    REGEDIT4
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\HTMLHelp]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\HTMLHelp\1.x\HHRestrictions]
    "MaxAllowedZone"=dword:00000000
    "UrlAllowList"=""

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\HTMLHelp\1.x\ItssRestrictions]
    "MaxAllowedZone"=dword:00000000
    "UrlAllowList"=""
    If you know that your organization uses no Web applications that require HTML Help, and the users in your organization do not require access to remote .chm files, you can stop here.
  2. Research how Web applications use HTML Help. You may have heard from users that some internal Web applications are affected by the update. Contact the owners of these Web applications and see if they can reengineer features that require HTML Help technology. If the Web applications can do without HTML Help technology, you can stop here.
  3. Selectively enable Web applications. If you find that some Web applications must be able to use HTML Help functionality, you can selectively re-enable access to the servers that host those applications. The following registry file example re-enables the HTML Help ActiveX control and the InfoTech protocol for a specific site. This registry file example also re-enables cross-frame navigation by the HTML Help ActiveX control.
    REGEDIT4
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\HTMLHelp]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\HTMLHelp\1.x\HHRestrictions]
    "MaxAllowedZone"=dword:00000000
    "UrlAllowList"="http://contoso/salesapp/"
    "EnableFrameNavigationInSafeMode"=dword:00000001

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\HTMLHelp\1.x\ItssRestrictions]
    "MaxAllowedZone"=dword:00000000
    "UrlAllowList"="http://contoso/salesapp/"
    Note Users may still not be able to open .chm files directly from a link in a Web page.
    For more information about this issue and workarounds, click the following article number to view the article in the Microsoft Knowledge Base:
    902225 You cannot open HTML Help files from Internet Explorer after you install security update 896358 or Windows Server 2003 Service Pack 1

An example of a less conservative approach

This approach could work well if some of the following statements apply to your organization:
  • You are willing to accept additional risk in order to avoid having security update 896358 adversely affect your applications.
  • You cannot quickly identify all specific applications and scenarios that require HTML Help technology.
  • Web applications that use HTML Help technology are very important to your line of business. Also, you cannot quickly modify these applications to use other technologies.
The following method is one example of a less conservative approach:
  1. Apply security update 896358. Then, use a Group Policy object to enforce restrictions.

    The following registry file example lets all the systems in your intranet serve the HTML Help ActiveX control and content by using the InfoTech protocol. This registry file example also re-enables cross-frame navigation by the HTML Help ActiveX control.
    REGEDIT4
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\HTMLHelp]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\HTMLHelp\1.x\HHRestrictions]
    "MaxAllowedZone"=dword:00000001
    "EnableFrameNavigationInSafeMode"=dword:00000001

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\HTMLHelp\1.x\ItssRestrictions]
    "MaxAllowedZone"=dword:00000001
    Note Users may still not be able to open .chm files directly from a link in a Web page.
    For more information about this issue and workarounds, click the following article number to view the article in the Microsoft Knowledge Base:

    902225 You cannot open HTML Help files from Internet Explorer after you install security update 896358 or Windows Server 2003 Service Pack 1

  2. Research how Web applications use HTML Help. Determine which Web applications require HTML Help technology. Contact the owners of these Web applications and see if they can reengineer features that require HTML Help technology.
  3. Tune HTML Help settings based on research. If your research determines that the Web applications no longer need HTML Help technology, you can deploy the following registry file to establish the maximum restrictions that are supported by security update 896358:
    REGEDIT4
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\HTMLHelp]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\HTMLHelp\1.x\HHRestrictions]
    "MaxAllowedZone"=dword:00000000
    "UrlAllowList"=""

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\HTMLHelp\1.x\ItssRestrictions]
    "MaxAllowedZone"=dword:00000000
    "UrlAllowList"=""
    If you find that some Web applications have to use HTML Help functionality, you can restrict the systems that are enabled to use the technology. The following registry file example restricts use of the HTML Help ActiveX control and the InfoTech protocol for specific intranet sites. This registry file example also continues to let the HTML Help ActiveX control navigate across frames.
    REGEDIT4
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\HTMLHelp]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\HTMLHelp\1.x\HHRestrictions]
    "MaxAllowedZone"=dword:00000000
    "UrlAllowList"="http://wingtiptoys/catalog/;\\wingtiptoys\help\helpfiles;"
    "EnableFrameNavigationInSafeMode"=dword:00000001

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\HTMLHelp\1.x\ItssRestrictions]
    "MaxAllowedZone"=dword:00000000
    "UrlAllowList"="http://wingtiptoys/catalog/;\\wingtiptoys\help\helpfiles;file://\\wingtiptoys\help\helpfiles"

Registry entries

The following table lists the HTML Help registry entries that this article discusses. The table also lists the Microsoft Knowledge Base article that you can see for more information.
ValueMicrosoft Knowledge Base article
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\HTMLHelp\1.x\HHRestrictions\MaxAllowedZone
892675 Certain Web sites and HTML Help features may not work after you install security update 896358 or security update 890175

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\HTMLHelp\1.x\HHRestrictions\UrlAllowList
892675 Certain Web sites and HTML Help features may not work after you install security update 896358 or security update 890175

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\HTMLHelp\1.x\HHRestrictions\EnableFrameNavigationInSafeMode
896905 After you install security update 896358, content that should be displayed in a different frame is displayed in the frame that contains the HTML Help ActiveX control

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\HTMLHelp\1.x\ItssRestrictions\MaxAllowedZone
896054 You cannot open remote content by using the InfoTech protocol after you install security update 896358, security update 840315, or Windows Server 2003 Service Pack 1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\HTMLHelp\1.x\ItssRestrictions\UrlAllowList
896054 You cannot open remote content by using the InfoTech protocol after you install security update 896358, security update 840315, or Windows Server 2003 Service Pack 1

Internet Explorer security zones

For more information about how to use security zones in Internet Explorer, click the following article number to view the article in the Microsoft Knowledge Base:

174360 How to use security zones in Internet Explorer

Group Policy

For more information about Group Policy, visit the following Microsoft Web sites:
Microsoft provides programming examples for illustration only, without warranty either expressed or implied. This includes, but is not limited to, the implied warranties of merchantability or fitness for a particular purpose. This article assumes that you are familiar with the programming language that is being demonstrated and with the tools that are used to create and to debug procedures. Microsoft support engineers can help explain the functionality of a particular procedure, but they will not modify these examples to provide added functionality or construct procedures to meet your specific requirements.

Technical support for x64-based versions of Microsoft Windows

On computers that are running x64-based versions of Microsoft Windows, you may have to adapt the instructions in the "Resolution" section about how to modify the registry. For example, you might have to modify a different part of the registry, depending on whether you want to modify the 32-bit or the 64-bit functionality.For more information, click the following article number to view the article in the Microsoft Knowledge Base:

896459 Registry changes in x64-based versions of Windows Server 2003 and in Windows XP Professional x64 Edition

Your hardware manufacturer provides technical support and assistance for x64-based versions of Windows. Your hardware manufacturer provides support because an x64-based version of Windows was included with your hardware. Your hardware manufacturer might have customized the installation of Windows with unique components. Unique components might include specific device drivers or might include optional settings to maximize the performance of the hardware. Microsoft will provide reasonable-effort assistance if you need technical help with your x64-based version of Windows. However, you might have to contact your manufacturer directly. Your manufacturer is best qualified to support the software that your manufacturer installed on the hardware.

For product information about Microsoft Windows XP Professional x64 Edition, visit the following Microsoft Web site:For product information about x64-based versions of Microsoft Windows Server 2003, visit the following Microsoft Web site:

↑ Back to the top


Keywords: kbbug, kbhotfixserver, kbpubtypekc, kbwinnt400presp7fix, kbwin2000presp5fix, kbwinserv2003presp1fix, kbfix, kbwinxppresp2fix, kbwinserv2003sp2fix, kbsecbulletin, kbsecurity, kbqfe, kblangall, kbmustloc, kb, kbpubtypepublic, kbsecvulnerability

↑ Back to the top

Article Info
Article ID : 896358
Revision : 4
Created on : 3/30/2017
Published on : 3/30/2017
Exists online : False
Views : 453