Browser Helper Objects and Security Risks

By Larry Seltzer  |  Posted 2003-04-03 Print this article Print

The prototypical Microsoft feature, these add-ins for your browser can do undeniably useful, and undeniably dangerous things. Security Supersite Editor Larry Seltzer explores the good, bad and ugly.

Microsoft loves to make things programmable. Its one of the companys great strengths and, since everyone got connected to the Internet, one of the things that gets it into trouble. The first serious discussion of the over-programmability of Microsofts products (to my memory) came in the wake of the Melissa virus in 1999. Why does a word processor need to be programmable?

Of course, there are a lot of people who want to be able to do this sort of thing, and I believe its one of the main reason their products are so popular. But sometimes they do open up interfaces that just make me nervous.

Google Toolbar
A good example is Browser Helper Objects. The most famous example of a BHO is the Google Toolbar, that thing that adds itself to Internet Explorers toolbars, but there are a bunch of others. Norton Antivirus adds a BHO for no particularly useful reason.

A BHO is an add-in program for Internet Explorer 4.0 or later. Not only can it add menus and fields and buttons like the Google toolbar, it has full access to the internal events of Internet Explorer. You hit the back button? The BHO knows, and can take action. They also can hook into Windows Explorer in all recent versions for some actions, although there shell extensions are more appropriate.

When I reviewed spyware-removal tools for PC Magazine, I was only slightly surprised to see that many of the spyware programs and their carriers, like the Alexa Toolbar, are BHOs. This fact simply underscores the scary thing about BHOs: They look over your browsers shoulder as it works, noting everything that happens and potentially prodding it to do something different.

In a very real sense, when you install any program on your computer you are implicitly saying that you trust it with all the other data and software on that system (and the network). Most of us dont really believe this, but its true. BHOs have special potential for mischief. How would you feel if a program tracked everything you typed in your browser, every site you went to, and so on? A BHO can do this. In fact, this is what the Alexa toolbar does: It monitors where you are going so that it can show you related page links.

BHOs usually have a user interface like the Google toolbar, but they dont have to. Perhaps its the ones without a UI that you really need to fear. Most of the legitimate uses for a BHO would require a UI.

So what BHOs are running on your system? It isnt all that easy to tell on your own. You can get an idea of what is running by looking at your registry. (I cant take the time here to explain the registry to those of you who dont know it or that you can do serious damage to your system if you mess with it carelessly. Just be careful.) The key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" has one entry for each BHO installed in your system. All youll there is a GUID—a very large number displayed in hexadecimal—its a unique ID for that BHO. The easiest thing to do with it is to go to SpywareInfos list of all known Browser Helper Objects. They also provide a program called BHODemon to display and disable BHOs on your system.

So BHOs can be a good thing, but its clear that not all of them are trustworthy. Theyre already more of a problem than is generally recognized, and theyre going to need more attention in the future. Microsoft could start by adding a user interface to Add/Remove programs (perhaps into IEs Tools-Internet Options dialog) as a way of managing these things and requiring some accountability on their part. At least the user would have some more control.

Security Supersite Editor Larry Seltzer has worked in and written about the computer industry since 1983.
Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel