Vulnerability in HTML Help ActiveX Control

HTML Help ActiveX Control

Internet Explorer uses ActiveX controls based on Microsoft’s Component Object Model (COM) architecture to incorporate various features into Web pages. The Windows help system uses the HTML Help ActiveX control to incorporate navigation and second window functionality as an HTML file.

HTML Help ActiveX Control Vulnerability

Internet Explorer’s security architecture implements a cross-domain security model to ensure that Internet Explorer windows from different Web domains (Windows from different Web sites) do not interfere with each other. The way HTML Help ActiveX control processes cross-domain requests opens up a vulnerability that allows disclosure of information or execution of remote code on the host system.

An attacker can make use of this vulnerability to develop a malicious Web page that executes a remote code on the user system if the user visits this malicious page. In fact, if the user is logged on as an administrator, then an attacker can exploit the vulnerability to take full control of the user system. The attacker can then view, modify, and delete data and even create new accounts with administrative privileges of user systems.

Win98, Win98 SE, and Windows ME are the three most critically affected Windows operating systems. Also, systems with Windows NT Server 4.0 and Windows NT 4.0 Terminal Server edition with Internet Explorer 6.0 SP 1, have the affected component on them. To prevent your PC from this vulnerability, you must download a critical security update that is available on the Microsoft Support Web site.

Internet Explorer Security Zones

Internet Explorer security zones are determined with the help of a system that segregates online information into different zones or categories. Each Web domain is assigned to a security zone based on the reliability of the content available on them. The capabilities of the Web content are restricted based on the zone policy. This policy prevents active codes and scripts from accessing local system resources.

How Can an Attacker Exploit the Vulnerability?

An attacker can exploit the HTML Help ActiveX control vulnerability to:

  • Run malicious script code in the local system security zone of Internet Explorer to take complete control over the affected system.
  • Create a malicious Web page to force users to visit an online page and in turn gain access to local system files of the user’s PC.

Preventive Measures

Along with making available security updates for different Windows operating systems, Microsoft has tested and proposed some workarounds to counter the vulnerability. Listed below are some of the workarounds that you can use to prevent attackers from gaining access to your system.

  1. In the Internet Explorer window, select Tools – Internet Options – Security. Here, change the security zone settings for ‘Internet’ and ‘Local intranet’ to ‘High’.
  2. On the Security tab, select ‘Trusted sites’ zones and then select the ‘Sites’ button. In ‘Trusted Sites’ dialog box, add the URLs of the Web sites you trust and are sure that they would not run any malicious program on your system.
  3. From the Microsoft Security Update Web site on the Internet, download security updates for Outlook 2000 SP1 or earlier and Outlook Express 5.5SP2.
  4. If you are using Outlook 2002 or later or Outlook 6 SP1 or later, then try to open your email messages in plain text format.

The HTML Help ActiveX Control vulnerability can be exploited by attackers to gain access to your system by running malicious scripts. To secure your system from the vulnerability, you must download security updates for your Windows operating system, Internet Explorer, Outlook and Outlook Express versions from Microsoft’s security update website. Malicious scripts and programs can gain access to the registry of your system and alter it in such a way that your PC becomes useless. Therefore, as a preventive measure, you may also download a reliable Registry Cleaner software from the internet. Use the software to regularly scan the registry and remove any invalid or incorrect entries added to it by malicious scripts running on the system.