Severity rating


Discovered date

Attack vector

Authentication required

Public exploits available

Signature detection

On this page


HTML-based help facility is implemented in part as an ActiveX control. This allows it to be called both by GUI-based and web-based applications - potentially including web sites. The facility provides a number of different functions that applications can use when displaying their help information. However, one of those functions contains an unchecked buffer, and this flaw poses a security vulnerability.


An attacker who invoked the HTML Help facility and called the affected function using a specially malformed parameter could modify the functionality of the HTML Help facility and cause it to perform actions of the attacker's choice. This could include adding, deleting or changing data on the system, running programs, downloading or uploading data, or virtually any other action that the user could take. In essence, it would let the attacker pose as the user on the system.

Technical details (analysis)

This is a buffer overrun vulnerability. An attacker who was able to exploit this vulnerability could take any action the legitimate user could take; for instance, the attacker could add, delete or change data files, download and run programs, communicate with web sites, reformat the hard drive, or take other actions. The vulnerability could be exploited either by luring a user into visiting a web site controlled by the attacker, or by sending a specially constructed HTML mail to a user. The vulnerability results because the ActiveX control that implements the HTML Help facility contains an unchecked buffer in one of the functions it exposes. If the function was called using a specially malformed argument, it could have the effect of overrunning the buffer.

Affected software

Microsoft Windows 98
Microsoft Windows 98 Second Edition
Microsoft Windows Millennium Edition
Microsoft Windows NT 4.0
Microsoft Windows NT 4.0, Terminal Server Edition
Microsoft Windows 2000
Microsoft Windows XP

Non-affected software

All application not in the affected list



NIS signature

Name: Exploit:Win/MSIE.HelpActiveX.RCE!CAN-2002-0693
Release Date: 2003-02-28T00:00:00

Known false positives

No known false positives at this time.


The HTML mail-based attack vector could not be exploited on systems where Outlook 98 or Outlook 2000 were used in conjunction with the Outlook Email Security Update, or Outlook Express 6 or Outlook 2002 were used in their default configurations.