Microsoft Internet Explorer ''HTML Help File Code Execution'' Vulnerability patch

Patches and Updates


Microsoft has released a patch that eliminates a security vulnerability in the HTML Help facility that ships with Microsoft® Internet Explorer. Under certain conditions,the vulnerability could allow a malicious web site to take inappropriate action on the computer of a visiting user. The HTML Help facility provides the ability to launch code viashortcuts included in HTML Help files. If a compiled HTML Help (.chm) file were referenced by a malicious web site, it could potentially be used to launch code on a visiting user's computer without the user's approval. Such code couldtake any actions that the user could take, including adding, changing or deleting data, or communicating with a remote web site. A web site could only invoke an HTML Help fileif it resided on a UNC share accessible from the user's machine, or on the user's machine itself. A firewall that blocks Netbios would prevent the former case from being exploited. Adhering to standard security practices wouldprevent the latter. In addition, an HTML Helpfile could only be invoked if Active Scriptingwas permitted in the Security Zone thatthe malicious user's site resides in. Thepatch eliminates the vulnerability by onlyallowing an HTML Help file to use shortcuts ifthe help file resides on the local machine.


Recent searches