CVE-2002-0694 in Windows
Summary
by MITRE
The HTML Help facility in Microsoft Windows 98, 98 Second Edition, Millennium Edition, NT 4.0, NT 4.0 Terminal Server Edition, Windows 2000, and Windows XP uses the Local Computer Security Zone when opening .chm files from the Temporary Internet Files folder, which allows remote attackers to execute arbitrary code via HTML mail that references or inserts a malicious .chm file containing shortcuts that can be executed, aka "Code Execution via Compiled HTML Help File."
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 09/14/2025
The vulnerability described in CVE-2002-0694 represents a critical security flaw in Microsoft Windows operating systems that affects multiple versions including Windows 98, 98 Second Edition, Millennium Edition, NT 4.0, NT 4.0 Terminal Server Edition, Windows 2000, and Windows XP. This issue specifically targets the HTML Help facility component that handles .chm files, which are compiled HTML help files commonly used for software documentation and user guides. The vulnerability stems from the improper security zone assignment when processing .chm files located in the Temporary Internet Files folder, creating an attack vector that can be exploited by remote adversaries.
The technical flaw in this vulnerability lies in the security model implementation within Windows HTML Help system where .chm files from the Temporary Internet Files folder are automatically assigned to the Local Computer Security Zone instead of the more restrictive Internet Security Zone. This misconfiguration allows malicious .chm files to execute with elevated privileges when opened through HTML email messages that reference or embed these files. The attack exploits the fact that shortcuts and executable content within these .chm files can be triggered during the rendering process, bypassing normal security restrictions that would normally prevent code execution from internet-based sources.
The operational impact of this vulnerability is significant as it enables remote code execution attacks that can compromise entire systems without requiring user interaction beyond opening an email message. Attackers can craft HTML email messages containing malicious .chm files that appear legitimate to users, making this a particularly dangerous vector for social engineering attacks. Once executed, the malicious code can perform various harmful actions including installing additional malware, modifying system files, creating backdoors, or exfiltrating sensitive data from the compromised system. The vulnerability affects a broad range of Windows operating systems, making it a widespread concern for organizations with diverse computing environments.
This vulnerability aligns with CWE-1004 which addresses insecure default security settings, and maps to ATT&CK technique T1203 - Exploitation for Client Execution, where adversaries leverage application vulnerabilities to execute malicious code on victim systems. Organizations should implement immediate mitigations including disabling the HTML Help facility for .chm files from untrusted sources, configuring security zones to prevent automatic execution of .chm files from the Temporary Internet Files folder, and applying the relevant Microsoft security patches released in response to this vulnerability. Additionally, email filtering systems should be configured to block .chm file attachments and users should be educated about the risks of opening email attachments from unknown sources. Network administrators should also consider implementing firewall rules that restrict access to .chm file repositories and monitor for suspicious file execution patterns that could indicate exploitation attempts.