Problem Viewing CHM Files on Network Drives.

Discussion in 'Windows Update' started by Luis I. Gomez, Jun 16, 2005.

  1. After applying the latest security updates, we are finding that all "CHM"
    files viewed from a network drive are having problems. The following
    screen displays in the text area.

    Action canceled
    Internet Explorer was unable to link to the Web page you requested.
    The page might be temporarily unavailable.

    --------------------------------------------------------------------------

    Please try the following:

    a.. Click the Refresh button, or try again later.

    b.. If you have visited this page previously and you want to view
    what has been stored on your computer, click File, and then click Work
    Offline.

    c.. For information about offline browsing with Internet Explorer,
    click the Help menu, and then click Contents and Index.




    Internet Explorer
     
    Luis I. Gomez, Jun 16, 2005
    #1
    1. Advertisements

  2. Hi,

    This is caused by the security update KB896358 (MS05-026: A
    vulnerability in HTML Help could allow remote code execution)


    Importing the following registry file will solve the problem as long
    as your network drive is defined as "Local intranet zone" (it should
    be).

    The setting above will Local Machine zone, Local intranet zone, and
    Trusted sites zone.

    --------------------8<----------------------
    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\HTMLHelp\1.x\ItssRestrictions]
    "MaxAllowedZone"=dword:00000002

    --------------------8<----------------------

    More about this registry setting here:

    http://support.microsoft.com/kb/896358

    and here:
    http://support.microsoft.com/kb/896054
     
    Torgeir Bakken \(MVP\), Jun 16, 2005
    #2
    1. Advertisements

  3. Thank you for you solution.

    I must say that this particular issue is making me re-think my strategy of
    using Microsoft Html Help Workshop.

    A security buletin was posted on 6/14, and a Security update on 6/15 that
    single handedly caused every network based application that relied on CHM or
    HTMLHELP documents to suddenly fail. This resulted in a huge influx to our
    help center along with the task to re-designing our documentation strategy.

    I suppose that it may seem reasonable to simply go to the registry and apply
    the changes, but this is something that must be done on tens of thousands of
    systems at around 1,000 sites.

    Essentially with one days notice, it has been decreed that network based
    documentation is no longer appropriate.

    As I understand the situation, it has been decided that HTML documents
    coantained within a CHM file stored on a network device pose a security
    threat, and represent a danger to the system. This seems to be the most
    basic of CHM functionality.

    If I understand the intent of this update, it is expected that we install
    several gigabytes of CHM files on each of hundreds of workstations in order
    to provide our manual to our users at a particular installation. We then
    need to make certain that these manuals are updated on the local systems.
    I suppose an alternative is to copy a particular document to the local hard
    disk before displaying it.

    Luis
     
    Luis I. Gomez, Jun 17, 2005
    #3
  4. Hi,

    If this is computers in an Active Directory domain:

    You can push out that registry value with a GPO using a custom
    administrative template ("tattooing" the registry on the clients):

    HOW TO: Create Custom Administrative Templates in Windows 2000
    http://support.microsoft.com/?kbid=323639

    225087 Writing Custom ADM Files for System Policy Editor
    http://support.microsoft.com/?kbid=225087

    Implementing Registry-Based Group Policy
    go.microsoft.com/fwlink/?LinkId=28188

    Implementing Registry-based Policy [Group Policy]
    http://msdn.microsoft.com/library/en-us/policy/policy/implementing_registry_based_policy.asp


    You might be interested in the free PolicyMaker Registry Extension
    as well:
    http://www.desktopstandard.com/PolicyMakerRegistryExtension.aspx
     
    Torgeir Bakken \(MVP\), Jun 17, 2005
    #4
  5. Luis I. Gomez

    Leigh Haynes Guest

    I too hit the "Action Canceled" problem with Compiled HTML Help (CHM) files
    after deploying the recent security updates (MS04-023, MS05-001 and MS05-
    026).

    As we have many applications that access CHM files from network drives I
    created a custom administrative template (ADM) to deploy the required
    registry settings to our workstations. This is a much more elegant and
    flexible solution than the batch file method suggested in the KB articles.

    Here is my template - no warranty implied or given, use it at your own risk
    etc.


    CLASS MACHINE

    CATEGORY "HTML Help Security Updates"

    POLICY "HTML Help ActiveX Maximum Allowed Zone"
    KEYNAME "SOFTWARE\Microsoft\HTMLHelp\1.x\HHRestrictions"
    EXPLAIN "Security updates MS05-026 and MS05-001 include changes
    that restrict the HTML Help ActiveX control by zone."
    PART "Select the maximum allowed zone for HTML Help ActiveX:"
    DROPDOWNLIST
    VALUENAME MaxAllowedZone
    ITEMLIST
    NAME "Local Machine" VALUE NUMERIC 0 DEFAULT
    NAME "Local Intranet" VALUE NUMERIC 1
    NAME "Trusted Sites" VALUE NUMERIC 2
    NAME "Internet" VALUE NUMERIC 3
    NAME "Restricted Sites" VALUE NUMERIC 4
    END ITEMLIST
    END PART
    END POLICY

    POLICY "HTML Help InfoTech Protocol Maximum Allowed Zone"
    KEYNAME "SOFTWARE\Microsoft\HTMLHelp\1.x\ItssRestrictions"
    EXPLAIN "Security updates MS05-026 and MS04-023 include changes
    that restrict the HTML Help InfoTech protocol by zone."
    PART "Select the maximum allowed zone for HTML Help InfoTech:"
    DROPDOWNLIST
    VALUENAME MaxAllowedZone
    ITEMLIST
    NAME "Local Machine" VALUE NUMERIC 0 DEFAULT
    NAME "Local Intranet" VALUE NUMERIC 1
    NAME "Trusted Sites" VALUE NUMERIC 2
    NAME "Internet" VALUE NUMERIC 3
    NAME "Restricted Sites" VALUE NUMERIC 4
    END ITEMLIST
    END PART
    END POLICY

    END CATEGORY


    Leigh Haynes
    Computing Services
    University of Lincoln
     
    Leigh Haynes, Jul 1, 2005
    #5
  6. Luis I. Gomez

    Kongor Guest

    This solution is not working for me. I am not using an NT or 2003 server -
    just a straightforward peer-to-peer network and the registry entry described
    does bot seem to have any effect. Any thoughts?

     
    Kongor, Aug 22, 2005
    #6
  7. Hi,

    It may work for you to use the UrlAllowList registry value instead.

    More about this here:
    http://support.microsoft.com/kb/896054

    and here:
    http://support.microsoft.com/kb/896358
     
    Torgeir Bakken \(MVP\), Aug 22, 2005
    #7
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.