-----BEGIN PGP SIGNED MESSAGE-----
__________________________________________________________
The U.S. Department of Energy
Computer Incident Advisory Capability
___ __ __ _ ___
/ | /_\ /
\___ __|__ / \ \___
__________________________________________________________
INFORMATION BULLETIN
The Hidden Dangers of Windows HTML Help (.chm) Files
June 1, 2006 23:00 GMT Number Q-213
______________________________________________________________________________
PROBLEM: Microsoft HTML Help (.chm) files can do just about anything
executable (.exe) files can. HTML Help files are not simply
formatted text files but can contain scripts, documents, and
executable files that can be automatically installed and run.
PLATFORM: All Windows platforms.
DAMAGE: Windows HTML Help files are perceived to be formatted text but
can do just about anything an executable can do. They can be
used maliciously to install viruses, Trojans, and other
malicious code.
SOLUTION: Do not open .chm files sent to you by an unknown entity or
downloaded from a suspicious site. Sites should consider
blocking .chm attachments to emails.
______________________________________________________________________________
VULNERABILITY The risk is Medium: HTML Help files can run arbitrary code with
ASSESSMENT: the permissions of the user who opened the file.
______________________________________________________________________________
LINKS:
CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/q-213.shtml
TOOLS:
http://msdn.microsoft.com/library/default.asp?url=
/library/en-us/htmlhelp/html/vsconHH1Start.asp
______________________________________________________________________________
What is a .chm File?
====================
A .chm file is a compiled and compressed Microsoft HTML Help file. They are
created using the Microsoft HTML Help system, the standard help system for the
Windows platform. The word “compiled” simply means combining several documents
or files into one file, much like a zip archive. The output of the compilation
process is then compressed. The compiled and compressed .chm file only makes
sense to the HTML Help viewer called hh.exe, usually found in the Windows
directory. When a Help file is opened, the Help Viewer extracts the compressed
files and runs or displays them according to the imbedded scripts.
Why Help Files?
===============
Software documentation plays just as big a role as the software itself. Users
need to know and understand the usefulness of complex programs. It was out of
a need to provide users with a simple, logical yet powerful interface for
documentation that the HTML Help system arose. Authors create help topics for
software applications using the HTML Help system and ship it along with the
program. HTML Help is also well suited for online help guides, interactive
books, electronic newsletters, etc.
How are .chm Files Created?
===========================
A Help file is usually made up of several components. You first create a
project file that manages the other files in your help system. The files
can contain graphics, text, video, animation, and other elements that you
want to appear in help topics. Using a tool such as HTML Help Workshop, you
then compile all the individual files that make up your help project into
a single help file with a .chm extension.
The Hidden Danger
As noted earlier, you can include or compile a wide range of files such as
images, graphics, video, etc. into a single Help file. You simply specify
the right HTML tags in the HTML file for the image or video you want to run.
The danger lies in the fact that you can also specify a tag or link to an
executable file which will be compiled, along with other files, into the
Help file! The .chm file when opened will run the attached .exe file which
might be completely unknown to the user.
Take a look at the following HTML code for example:
Test
click here for the next menu
If you compile this code, the Help system adds notepad.exe to the output
.chm file. When you run the .chm file, you see a standard Help pane pop up
along with the link “click here for the next menu”. Clicking on that link
runs the imbedded notepad.exe. You can even add a script that hides the
link and automatically clicks it when the .chm is opened!
The fact is that Help files can do pretty much the same things that exe
files do. If a user chooses to run a .chm file, it can do whatever the
user has permissions to do including installing viruses, worms, Trojans
or other malicious code.
Workarounds
===========
Users should be extremely cautious when they receive .chm files in an email
message and should not open them if they are not expected. You can decompile
the .chm file into its various components using the HTML Help Workshop and
see if there are unexpected executables. Help files that come with new
software are normally safe but those received independently as email
attachments or as downloads from untrusted sites should be checked by a
security officer before they are opened.
______________________________________________________________________________
CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.
CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
Voice: +1 925-422-8193 (7x24)
FAX: +1 925-423-8002
STU-III: +1 925-423-2604
E-mail: ciac@ciac.org
Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.
World Wide Web: http://www.ciac.org/
Anonymous FTP: ftp.ciac.org
PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins. If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.
This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.
LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)
Q-203: MySQL
Q-204: Linux Kernel Vulnerabilties
Q-205: HP Tru64 UNIX
Q-206: kernel Update
Q-207: postgresql Update
Q-208: php Update
Q-209: Windows VPN Client
Q-210: RealVNC Authentication Bypass
Q-211: libextractor
Q-212: HP-UX Mozilla Vulnerability
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1
iQCVAwUBRH+Ev7nzJzdsy3QZAQFHrAP9En3CYufUVyT/YAfHelygc+HBEzJe5t+e
mo4auTjyHrW0uKabFPEGsRufmHXx1o4B6X+31ldjQ8T8rU2yH9nWW8pIukah2xdx
2Bd7DIWQ/wCYzPlMtjuGQcElKYO3y1GlOsl3/c8vbZfrd1UOi75s8hFetlJrWL/W
8r13FPcPIyg=
=lN/W
-----END PGP SIGNATURE-----