Microsoft Security Bulletin MS00-037

Technical description:

The HTML Help facility provides the ability to launch code via shortcuts included in HTML Help files. If a compiled HTML Help (.chm) file were referenced by a malicious web site, it could potentially be used to launch code on a visiting user's computer without the user's approval. Such code could take any actions that the user could take, including adding, changing or deleting data, or communicating with a remote web site.

A web site could only invoke an HTML Help file if it resided on a UNC share accessible from the user's machine, or on the user's machine itself. A firewall that blocks Netbios would prevent the former case from being exploited. Adhering to standard security practices would prevent the latter. In addition, an HTML Help file could only be invoked if Active Scripting was permitted in the Security Zone that the malicious user's site resides in. The patch eliminates the vulnerability by only allowing an HTML Help file to use shortcuts if the help file resides on the local machine.

What's this bulletin about?
Microsoft Security Bulletin MS00-037 announces the availability of a patch that eliminates a vulnerability in the HTML Help facility that ships as part of Microsoft® Internet Explorer. Under certain conditions, the vulnerability could allow a malicious web site operator to run code on the computer of a visiting user. Microsoft is committed to protecting customers' information, and is providing the bulletin to inform customers of the vulnerability and what they can do about it.

What's the scope of the vulnerability?
This vulnerability could allow a malicious web site operator to cause code to execute on the computer of a user who visited the site. Such code could take any action that the user himself could take, including but not limited to creating, changing or deleting data, or communicating with an external web site.
In order to exploit this vulnerability, the malicious user would need to place an HTML help file in a location accessible to the visitor's machine. Because of this, customers behind a properly-configured firewall would typically not be at risk. Even customers who are not behind a firewall would not be at risk, if they have used the Security Zones feature in Internet Explorer to disable Active Scripting for untrusted web sites.

What causes the vulnerability?
The vulnerability exists because the shortcut feature of HTML Help allows it to launch programs. If a malicious web site operator could make an HTML Help file of his choice accessible to a visiting user's computer, he could then invoke the HTML Help file from his web site and potentially cause code of his choice to run on the visiting user's computer.

What is HTML Help?
HTML Help is the familiar help facility that you see whenever you use a Microsoft product - for instance, if you click on the Help command in IE, you are using HTML Help. The advantage of HTML Help is that it uses a standard rendering method for the text, and allows animation, hyperlinks, and other web-based features to be used in order to provide more effective help to the user.

What is a Shortcut, and how are Shortcuts used in HTML Help?
Shortcuts allow HTML Help files to link to and execute code. This feature allows the help topic to either demonstrate a point to the user, or to perform a function for him. For example, if you search for help on adding a printer in Windows 2000, there's a shortcut that will let you go directly to the Printers folder in Control Panel and start the wizard that adds a printer.

How would an attack that exploited this vulnerability work?
In order to attack a user by exploiting this vulnerability, a malicious web site operator would have to accomplish several steps. First, the web site operator would have to entice the user to visit the malicious web site. Next, the web page that the user chose to visit would have to call a Compiled HTML Help file (a .CHM file) that was accessible to the visiting user's computer. The Compiled HTML Help file containing the shortcut file would then execute on the user's computer. The program that the shortcut invoked would accomplish the actual attack.

What do you mean by "a HTML Help file accessible to the user's computer"?
In order for this vulnerability to be exploited, the HTML Help file must reside in either of two places:

• On the local disk drive of the visiting user's computer.
• On a remote machine that the visiting user's computer can access via a type of shared folder known as a UNC share.

It's important to note that an HTML Help file cannot be hosted as part of a web site. Although it may physically reside on the same server as the malicious user's site, it would have to be accessed through a UNC share. The significance of this fact is that a UNC share typically would be blocked by a properly-configured firewall.

How could the malicious user get an HTML Help file onto the visiting user's computer?
He would need to persuade or entice the user into downloading it. Microsoft strongly recommends against ever accepting content from an untrusted source.

What is a UNC share and how would the user's machine access it?
A UNC share is a shared folder that is identified by a Universal Naming Convention (UNC) name. A UNC name is a name of the form \\machine\directory\file.dat. The machine component of the UNC name is the name of the machine where the directory is stored. UNC shares are accessed using the NetBIOS protocol, usually running over TCP/IP (the Internet protocol family).
To exploit this vulnerability, the malicious user could simply host the HTML Help file on a UNC share on his server. But if the visitor's machine were behind a firewall that blocked the NetBIOS protocols (as is recommended by best practices), then the user's machine would not be able to access an HTML Help file, and therefore could not be affected by the vulnerability.

Would it be necessary for the user to click on a shortcut in order for the vulnerability to be exploited?
No. If the HTML Help file is accessible to the user's browser, the malicious web site could call the HTML Help file without user intervention, and the shortcut would be invoked automatically. The malicious web site would not need to entice the visitor into clicking a link.

Is it safe to manually download Compiled HTML Help files (extension .chm) from a Web Site?
No. Just as with downloading any other code from the Internet, a compiled help file could contain shortcuts to execute code on the user's computer and perform malicious actions.

How would Security Zones help me protect against this vulnerability?
The Security Zones feature of IE allows you to categorize the web sites you visit and specify what the sites in a particular category should be allowed to do. Among the options you can choose is whether or not web sites should be able to use Active Scripting. A malicious web site operator could only exploit this vulnerability if his web site was allowed to perform Active Scripting.
Microsoft recommends that customers routinely use the Security Zones feature. We recommend putting the sites that you visit frequently and trust into the Trusted Zone. All sites that you haven't otherwise categorized will reside in the Internet Zone. You can then configure the zones to give the appropriate privileges to the web sites in these zones.

Who should install the patch?
Microsoft recommends that all users of an affected version of IE apply this patch.

What does the patch do?
The patch adds a check so that shortcuts can only be invoked from an HTML Help file that is located on the user's local machine. That is, if an HTML Help file is located on a remote machine and accessed via a UNC share, the patch prevents the HTML Help file from using shortcuts.

How do I use the patch?
The Knowledge Base article contains detailed instructions for applying the patch to your site

Where can I get the patch?
The download location for the patch is provided in the "Patch Availability" section of the security bulletin .

How can I tell if I installed the patch correctly?
The Knowledge Base provides a manifest of the files in the patch package.The easiest way to verify that you've installed the patch correctly is to verify that these files are present on your computer, and have the same sizes and creation dates as shown in the KB article

What is Microsoft doing about this issue?

• Microsoft has developed a procedure that eliminates the vulnerability.
• Microsoft has provided a security bulletin and this FAQ to provide customers with a detailed understanding of the vulnerability and the procedure to eliminate it.
• Microsoft has sent copies of the security bulletin to all subscribers to the Microsoft Product Security Notification Service, a free e-mail service that customers can use to stay up to date with Microsoft security bulletins.
• Microsoft has issued a Knowledge Base article explaining the vulnerability and procedure in more detail.

Where can I learn more about best practices for security?
The Microsoft TechNet Security web site is the best to place to get information about Microsoft security.

How do I get technical support on this issue?
Microsoft Technical Support can provide assistance with this or any other product support issue.

Download locations for this patch

• Internet Explorer 4.0, 4.01, 5.0, or 5.01 running on Windows 95, Windows 98, Windows 98 Second Edition, or Windows NT 4.0:

  http://www.microsoft.com/downloads/details.aspx?FamilyId=0D7FC2C3-5085-4506-82A0-A838A6836A69&displaylang=en

• Internet Explorer 5.01 on Windows 2000:

  http://www.microsoft.com/downloads/details.aspx?FamilyId=2D9E639B-36DC-444F-B5DB-88109300C68C&displaylang=en