security of CHM files

I saw many CHM e-books floating around the internet lately, and I worry that these might become a new form of worm carrier... so -

Just wondering, does Windows have any security measures for the CHM help files?  I know that some scripts can execute from inside a CHM file (they are essentially HTML after all), but what security level was it ran on?  Does the anti-virus softwares checks the content of CHM files (since it is compressed)?  

I guess many people would benifit from these information, many thanks.
LVL 2
iuhhAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

sunray_2003Commented:
check these

http://www.wanadoo.com.lb/virus/default.asp?language=2&virus=4

you need to check for viruses and their removal instructions

http://www.bullguard.com/antivirus/vit_breetnee_b.aspx

Sunray
iuhhAuthor Commented:
Thanks for the information.  Since a script can run inside a chm, I think just about all script worms/virus can be embedded into one of those files.  I am actually more interested in the security restrictions that was placed around those scripts, e.g which security zone (Web Content Zone) are they running in?  how to place more restriction around chm files?  

I figure that chm was possibly not considered as a potentially harmful file like exe so won't be blocked by email clients defaut, is that corrent?

Damage can possibly be minimized if the infected chm were viewed in a restricted account, but on many occations it will be the developers who needs those chm files for references, and developers tend to use privilaged accounts unfortunately.  Is there a good security solution for such a problem?  Does the current antivirus softwares (Norton, McAfee, Panda... or whatever) check inside a chm file?

Many thanks again.
Franklin_DeMattoCommented:
You wrote: Does the current antivirus softwares (Norton, McAfee, Panda... or whatever) check inside a chm file?

I believe that they can be set to check all file extensions.  However, be aware that they will only detect a virus if they already have its signature.  So they will miss any custom trojans.

Methods exists to get CHM files to execute arbitrary commands and code.
ajenkinsCommented:
In short, properly configuring IE's security zones, disabling active scripting and adding CHM to ignored extensions should help protect you from malicious scripts in Compiled/Compressed HTML files.  
Also making sure critical updates are installed; see technet bulletins ms00-037 and ms00-046
Viruses that use CHM scripts do exist (BleBla, VBS/BritneyPic, HTML_The_Fly) and decent AV software will detect them
I believe Sophos scans .chm files by default..  They are compressed with LZX ie MS Compress, same as cabinet files.

http://xforce.iss.net/xforce/xfdb/10254
http://xforce.iss.net/xforce/xfdb/5567
http://www.securiteam.com/windowsntfocus/IE_vulnerability_allows_execution_of_arbitrary_programs___chm_files_and_temporary_file_folder_.html

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Security

From novice to tech pro — start learning today.