Welcome to MSDN Blogs Sign in | Join | Help

The Goldfish Bowl

Graham Tyler's blog capturing thoughts on SharePoint, Live Communications and more
SPS Administrator's Guide blocked by HTML Help security update
You may find that the downloaded compiled help file (.chm) version of the SharePoint Portal Server Administrator’s Guide (found here on microsoft.com) will no longer open correctly after applying the latest batch of Windows XP security updates released last week on 14th June (http://www.microsoft.com/technet/security/Bulletin/MS05-026.mspx). This isn’t specific to the SPS admin guide, but potentially any downloaded .chm file (although the WSS admin guide seemed to work fine).

The solution is to right-click the .chm file, click Properties, and click “unblock”. The guide will then open correctly. See this support article for more details: http://support.microsoft.com/kb/902225

Might save a few minutes of head-scratching :-)

Posted: Monday, June 20, 2005 6:43 AM by grahamtyler
Filed under:

Comments

Jeff Parker said:

Arrrg, Ok, here is a question. Since I also produce my own help files for my apps and I build them with html help. I have never understood what is in or what can be put in a help file that is so dangerous. You can not email a chm file in outlook it is blocked. Now you can not download it.

I guess I have never looked at a help file or built a help file with some advanced functionality that could be exploited. My help files are basically plain text, the html uses a style sheet, there is a TOC and stuff but again just plain text, there is no javascript, or vbscript and most importantly no need to have it. The help search and toc functionality from the MS Help format is just fine for me. I guess my question is why punish the help developers that use the help legitimately. Why not remove the functionality that is making the chm files so dangerous or better yet if there is someone that uses this functionality legitimately then why not add a special flag to the chm file that that says it needs this then block these files and if the flag is not there then disable this functionality that is dangerous. Your average user is generally stupid, I have already had calls on why people can open my downloaded chm files, this took me forever to figure this one out. Since I had to force users to download help since I can't email them. Most users don't know where the heck they even downloaded the chm file to let alone know where to go to unblock it.

While I am all for making the OS more secure I think there are much better ways of handling this. Now your going to start having people download html files for help with what ever scripting is causing the security problems in the html and well because they are opening the html on their hard drives IE instantly has a lower security because the hard drive is in the local intranet zone.

Sorry, not trying to shoot the messenger, I think I just needed a rant but I have never understood why MS built something potentially so dangerous into something so important as help and have been crippling ways users get help ever since.
# June 20, 2005 8:43 AM

grahamtyler said:

Hi Jeff,

I feel your pain - and it's definitely worth letting it out (how else will it get fixed? :-)

I'm not an expert on HTML Help, so I can't offer much support on this issue (other than moral support of course) - I'd recommend posting your questions over on the IE Blog at http://blogs.msdn.com/ie. Previous security updates to HTML Help have been discussed on this blog.

In particular check out this post from Jeremy Dallman: http://blogs.msdn.com/ie/archive/2005/06/14/429082.aspx

Jeremy is the project manager for Internet Explorer security bulletins, and so may be able to help further, or at least direct you to the right people.
# June 20, 2005 12:39 PM

Bil Simser said:

Thanks! I was wondering what was up. I copied my chm files down to the local machine to see if that would work but that didn't help either. Glad there's a solution.
# June 20, 2005 5:44 PM
New Comments to this post are disabled
Page view tracker