Home > Software > Run Compiled HTML .chm from network share

Run Compiled HTML .chm from network share

February 11th, 2008 Leave a comment Go to comments

Way back in 2002 Microsoft released a security bulletin regarding what they called a 'vulnerability in HTML Help that Could Allow Remote Code Execution'. The issue is related to help files that many software vendors use in the form of compiled HTML help files that use the .chm file extension.

Compiled HTML Help is a proprietary format for online help files, developed by Microsoft and first released in 1997 as a successor to the Microsoft WinHelp format. It was first introduced with the release of Windows 98, and is still supported and distributed through Windows XP and Vista platforms. As mentioned a compiled HTML help file has a .chm extension and is essentially a set of web pages written in HTML with a hyperlinked table of contents.

One of the unique features of compiled HTML Help is its ability to execute programs, a privilege not bestowed on regular uncompiled web pages. This is achieved by the use of the shortcut command, which is made available through the HTML Help ActiveX Control. As an example of using the shortcut command, a Help topic that contains an instruction to open the Printer Settings dialog can also provide a shortcut button that enables users to open that dialog with just a single click.

The problem identified by Microsoft was that in theory, an attacker could use an email to deliver a .chm file that contained a shortcut, and then exploit certain flaws to open it and allow the shortcut to execute.

As a result Microsoft released an update that closes the loopholes for all versions of Windows from 98 through to XP. When you download and install the update, you are actually updating the HTML Help ActiveX Control on your system to the latest version: 1.4a (5.2.3669.0). This version restricts the use of the shortcut command, and also fixes another important security issue that was discovered (a buffer overflow vulnerability).

Info on the security bulletin and update is available here:

MS05-026

After the update is installed a compiled HTML Help file can only use shortcuts if the Help file is located in a folder that's known to contain trusted content. For example, on Windows 2000 and XP systems, shortcuts will only operate if the file is in the Windows Help folder, the Program Files folder, the Help and Support Center folder, or in any of their subfolders. Herein lies the problem.

Many System Administrators like myself prefer to run some applications from a central shared location on a network. This because it is easier/quicker to setup an application once then on 500 computers. If the application is configured correctly then as soon as all users have the shortcut pointing to the shared network location the application should function as expected. But as you guessed if you are using a computer where the Microsoft update for the compiled HTML vulnerability has been applied then when you try to view the help file(s) you will likely be presented with a window like this:

chmnetworkerror.JPG

Microsoft released the following knowledge base article with advice and workarounds for this problem:

KB896358

I won't go into detail explaining every workaround that Microsoft has provided in the article but I will explain how I tackled the problem. The way I viewed the situation was that I was willing to accept additional risk in order to get .chm files working from a shared location on the network. I believe the likelihood of sustaining a malicious attack that exploits a vulnerability of compiled HTML help is extremely low. I do however recommended that you protect against this risk, however small, by installing the update provided by Microsoft. I trust all the computers on the network so I decided to lower the restrictions on the Local Intranet zone to allow .chm files to run from the shared location. This is how I did it:

1. Click Start, click Run, type regedit, and then click OK.
2. Navigate to the following subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\HTMLHelp\1.x\ItssRestrictions

(If this registry subkey does not exist, create it.)

3. Right-click the ItssRestrictions subkey, point to New, and then click DWORD Value.
4. Type MaxAllowedZone, and then press Enter.
5. Right-click the MaxAllowedZone value, and then click Modify.
6. In the Value data box, type 1, and then click OK.
7. Exit regedit.

  1. Thomas
    March 11th, 2008 at 19:01 | #1

    Excellent, thank you

  2. Mick
    March 27th, 2008 at 03:23 | #2

    You've saved me heaps of time, thanks.

*