|
|
|
date: Tue, 14 Jun 2005 20:47:05 -0400,
group: microsoft.public.vstudio.helpauthoring
back
Re: FYI: Vulnerability in HTML Help Could Allow Remote Code Execution (896358)
Dear Ken,
This morning we installed (via SUS) the security update KB 896358. Ever
since, all CHM files created with HTML Help Workshop (a Microsoft
product) do not work. Other CHM files not generated by me, and
presumably created by other tools, continue to work.
After I deinstalled the update, the CHM files started working again.
Because this is a critical update, we do not want to do without it.
What can we do?
Best regards,
Ilka
Ken Cox [Microsoft MVP] schrieb:
> FYI:
>
> Vulnerability in HTML Help Could Allow Remote Code Execution (896358)
>
> "This update resolves a newly-discovered, privately-reported vulnerability.
> A vulnerability exists in HTML Help that could allow remote code execution
> on an affected system. The vulnerability is documented in the "Vulnerability
> Details" section of this bulletin.
>
> If a user is logged on with administrative user rights, an attacker who
> successfully exploited this vulnerability could take complete control of an
> affected system. An attacker could then install programs; view, change, or
> delete data; or create new accounts with full user rights. Users whose
> accounts are configured to have fewer user rights on the system could be
> less impacted than users who operate with administrative user rights.
>
> We recommend that customers apply the update immediately."
>
> http://www.microsoft.com/technet/security/bulletin/ms05-026.mspx
date: 15 Jun 2005 09:45:42 -0700
author: Ilka
Re: FYI: Vulnerability in HTML Help Could Allow Remote Code Execution (896358)
Ilka,
> This morning we installed (via SUS) the security update KB 896358. Ever
> since, all CHM files created with HTML Help Workshop (a Microsoft
> product) do not work. Other CHM files not generated by me, and
> presumably created by other tools, continue to work.
Are the "blocked" help files stored remotely, on a network drive, whereas
the other files that continue to work are stored locally on your machine's
hard drive? This latest security update should only affect files that are
stored remotely.
I think network administrators can re-enable the HTML Help functionality
across all the machines in an intranet by following the instructions in
Microsoft Knowledge Base article 896358, which is available here:
http://support.microsoft.com/?kbid=896358
For example, the "less conservative approach" described in the article
allows all the machines in an intranet to access HTML Help files stored on
the network. In effect, it removes the block on help files that are in the
Local Intranet zone.
Individual users can make the same change by using Method 2 described in
Knowledge Base article 896054, available here:
http://support.microsoft.com/?kbid=896054
For example, a user who wants to access HTML Help files stored on a network
drive can set the MaxAllowedZone registry value to 1, as this permits access
to HTML Help files that are stored locally (in the Local Machine zone) and
remotely (in the Local Intranet zone).
Pete
date: Wed, 15 Jun 2005 18:31:21 +0100
author: Pete Lees [MVP]
|
|
