Microsoft HTML Help is the standard help system for the Windows platform.
HTML Help offers some distinct advantages over standard HTML, such as the ability to implement a combined table of contents and index and the use of keywords for advanced hyperlinking capability. The HTML Help compiler (part of the HTML Help Workshop) makes it possible to compress HTML, graphic, and other files into a relatively small compiled help (.chm) file, which can then be distributed with a software application, or downloaded from the Web.
HTML Help consists of an online Help Viewer, related help components, and help authoring tools from Microsoft Corporation. The Help Viewer uses the underlying components of Microsoft Internet Explorer to display help content. It supports HTML, ActiveX, Java, scripting languages (JScript, and Microsoft Visual Basic Scripting Edition), and HTML image formats (.jpeg, .gif, and .png files)….
The exploit can cause remote arbitrary code execution if malicious .hpp file has been opened by the affected user. The control that the attacker can gain is dependent upon the privilige of the currently logged in affected user.
The author has provided a Proof of Concept publicly so, it may not take so long for some people to use the exploits for their malicious intents.
A user must be careful on viewing .hpp files especially when it comes to unfamiliar or untrusted sources. Accounts with administrator priviliges should not be used unless necessary, a limited user account will suffice for daily tasks such browsing the net, managing documents, etc.
References:
Microsoft HTML Help 1.4 SDK
Author’s Advisory