Security and Microsoft Help

By Matthew Ellison

Security has become a hot issue for Microsoft in 2002. Back in January, Bill Gates focused the company's attention on the topic by emailing a call to arms to all employees. The resulting security push did not solve all problems overnight—over the past few months a series of security vulnerabilities has come to light in products such as Internet Explorer, Internet Information Server, Windows Media Player, and Outlook Express. As each flaw has been identified, Microsoft has developed a software patch that users can download to fix it.

What does all this have to do with Help? Well, amongst the latest software applications to be identified as a security risk is the one of the key tools of our trade, the Windows HTML Help facility. There are two separate security vulnerabilities relating to HTML Help: the shortcut command, and a technical issue known as an "unchecked buffer."

The Shortcut Command

One of the unique features of compiled HTML Help is its ability to execute programs, a privilege not bestowed on regular uncompiled web pages. This is achieved by the use of the shortcut command, which is made available through the HTML Help ActiveX Control. As an example of using the shortcut command, a Help topic that contains an instruction to open the Printer Settings dialog can also provide a shortcut button that enables users to open that dialog with a single click.

Since shortcuts enable HTML Help files effectively to take any action on your computer, a security restriction has always been imposed that only allows trusted HTML Help files to use them. However, two flaws have recently been identified that allow this restriction to be bypassed. First, the HTML Help facility incorrectly determines the Security Zone in the case where a web page or HTML mail delivers a .CHM file to the Temporary Internet Files folder and subsequently opens it. Instead of handling the .CHM file in the zone associated with the web page or HTML mail that delivered it, the HTML Help facility incorrectly handles it in the Local Computer Zone. As a result, HTML Help considers the .CHM file to be trusted and allows it to use shortcuts. This error is compounded by the fact that the HTML Help facility doesn't consider what folder the content resides in. If it did, the first flaw would not matter, since content within the Temporary Internet Folder is never considered trusted.

So how might a malicious party be able to take advantage of this vulnerability and cause damage to peoples' computer systems? The answer is: with great difficulty. In theory, an attacker could use an HTML mail to deliver a .CHM file that contained a shortcut, and then exploit the flaws described above to open it and allow the shortcut to execute. The shortcut would be able to perform any action the user had privileges to perform on the system. However, in order to be successful, the attacker would have to be able to determine the exact location of the Temporary Internet Files folder—and Microsoft is unaware of any way of doing this, for which a patch has not already been provided.

Unchecked Buffer

One of the functions exposed through the HTML Help control contains an unchecked buffer. If you've read any of Microsoft's security bulletins over recent months, you've probably become familiar with the term "unchecked buffer," since it is the cause of many of the security vulnerabilities that have come to light. In software, a buffer is a kind of internal clipboard where data can be stored temporarily while it's being used. An "unchecked buffer" is one where the software doesn't verify that the data being stored is valid (in length, format and content) for that buffer.

An attacker can exploit an unchecked buffer to insert hostile code into a program, or to crash the program by causing the buffer to overflow with more data than it was meant to handle. This could be achieved by a web page hosted on an attacker's site or sent to a user as an HTML mail. An attacker who successfully exploited the vulnerability would be able to run code in the security context of the user, thereby gaining the same privileges as the user on the system.

What action has Microsoft taken?

On October 2, 2002, Microsoft drew attention to both these issues by publishing Security Bulletin MS02-055 on the Microsoft TechNet site (see Links to Related Information below for external site links). At the same time, Microsoft also made available a patch that closes the loopholes for all versions of Windows from 98 to XP.

When you download and install the patch, you are actually updating the HTML Help ActiveX Control on your system to the latest version: 1.4a (5.2.3669.0). This version restricts the use of the shortcut command, and also fixes the unchecked buffer problem.

As a result of installing the patch, an HTML Help file can only use shortcuts if the Help file is located in a folder that's known to contain trusted content. For example, on Windows 2000 and XP systems, shortcuts will only operate if the file is in the Windows Help folder, the Program Files folder, the Help and Support Center folder, or in any of their subfolders.

The patch also creates a new system policy for Windows 2000 and XP systems, called "Restrict potentially unsafe HTML Help functions to specified folders." System administrators can use this policy to customize the list of folders in which HTML Help files can use shortcuts.

How this affects you and your users?

As explained above, the likelihood of sustaining a malicious attack that exploits a vulnerability of HTML Help is extremely low. However, it's certainly recommended that you protect against this risk, however small, by installing the patch provided by Microsoft.

It's unfortunately not yet possible to ship the very latest version of the Help Viewer with your Help systems to users because Hhupd.exe (the HTML Help Installation and Update Package available from Microsoft) currently updates the Help Viewer to version 1.32, which does not include the security fixes. You should instead recommend to your users that they either use Windows Update to upgrade to the very latest version of the Help Viewer, or apply the security patch manually from the Microsoft TechNet web site.

Links to Related Information

For further information about these and other security issues relating to Microsoft Help, visit the following web sites:

• Microsoft Security Bulletin (MS00-037) - Patch Available for 'HTML Help File Code Execution' Vulnerability - June 02, 2000 (http://www.microsoft.com/technet/treeview/default.asp?
  url=/technet/security/bulletin/ms00-037.asp)
• Microsoft Security Bulletin MS02-055 - Unchecked Buffer in Windows Help Facility Could Enable Code Execution (contains latest security patches) - October 02, 2002 (http://www.microsoft.com/technet/treeview/default.asp?
  url=/technet/security/bulletin/MS02-055.asp)
• Microsoft Knowledge Base Article Q323255 - Unchecked Buffer in Windows Help Facility May Allow Attacker to Run Code (http://support.microsoft.com/default.aspx?
  scid=kb;[LN];Q323255)
• Microsoft Security Bulletin MS02-060 - Flaw in Windows XP Help and Support Center Could Enable File Deletion - October 16, 2002 (http://www.microsoft.com/technet/treeview/?
  url=/technet/security/bulletin/MS02-060.asp)
• Email on security sent by Bill Gates to every full-time employee at Microsoft - January 15, 2002 (http://www.wired.com/news/business/0,1367,49826,00.html)
• Microsoft MVP Robert Chandler's page of technical information on HTML Help (http://www.helpware.net/htmlhelp/hh_info.htm)

Copyright 2002, Matthew Ellison

Matthew has been a popular speaker at WinWriters events throughout the world since 1997. He currently contributes to the design of WinWriters conference programs. Matthew also runs his own independent training and consulting company that specializes in online help design and technology. Matthew holds a B.Sc. in Electronic Engineering and a Post-Graduate Certificate of Education from Bristol University in the UK. He is also a Certified RoboHelp Instructor. Matthew can be reached at: matthew.ellison@email.com.