MS Help Center exploit

Marketers, reviewers, and many customers love "multimedia" help systems. It's true that, done well, graphical and interactive elements can greatly enhance instructional material. Movies that demonstrate complex tasks, pictures that are "worth a thousand words," and automated actions that let users complete tasks easier and more accurately. All valuable tools in creating Help that moves beyond the "onscreen book" approach.

But flexibility and power bring complexity and, sometimes, vulnerability. Displaying some text and pictures is safe and easy, but providing all the features needed for the Help to be nicely integrated and "smart" can be problematic. Case in point, this article at The Register describes a security hole introduced in Microsoft's Help Center. Clicking a specially-formed URL can wipe out the contents of a directory on your hard drive. Ouch.

Posted: November 15, 2002 link to this item, Tweet this item, respond to this item