Browser Helper Objects and Security Risks

 
 
By Larry Seltzer  |  Posted 2003-04-03
 
 
 

Microsoft loves to make things programmable. Its one of the companys great strengths and, since everyone got connected to the Internet, one of the things that gets it into trouble. The first serious discussion of the over-programmability of Microsofts products (to my memory) came in the wake of the Melissa virus in 1999. Why does a word processor need to be programmable?

Of course, there are a lot of people who want to be able to do this sort of thing, and I believe its one of the main reason their products are so popular. But sometimes they do open up interfaces that just make me nervous.

Google Toolbar

A good example is Browser Helper Objects. The most famous example of a BHO is the Google Toolbar, that thing that adds itself to Internet Explorers toolbars, but there are a bunch of others. Norton Antivirus adds a BHO for no particularly useful reason.

A BHO is an add-in program for Internet Explorer 4.0 or later. Not only can it add menus and fields and buttons like the Google toolbar, it has full access to the internal events of Internet Explorer. You hit the back button? The BHO knows, and can take action. They also can hook into Windows Explorer in all recent versions for some actions, although there shell extensions are more appropriate.

When I reviewed spyware-removal tools for PC Magazine, I was only slightly surprised to see that many of the spyware programs and their carriers, like the Alexa Toolbar, are BHOs. This fact simply underscores the scary thing about BHOs: They look over your browsers shoulder as it works, noting everything that happens and potentially prodding it to do something different.

In a very real sense, when you install any program on your computer you are implicitly saying that you trust it with all the other data and software on that system (and the network). Most of us dont really believe this, but its true. BHOs have special potential for mischief. How would you feel if a program tracked everything you typed in your browser, every site you went to, and so on? A BHO can do this. In fact, this is what the Alexa toolbar does: It monitors where you are going so that it can show you related page links.

BHOs usually have a user interface like the Google toolbar, but they dont have to. Perhaps its the ones without a UI that you really need to fear. Most of the legitimate uses for a BHO would require a UI.

So what BHOs are running on your system? It isnt all that easy to tell on your own. You can get an idea of what is running by looking at your registry. (I cant take the time here to explain the registry to those of you who dont know it or that you can do serious damage to your system if you mess with it carelessly. Just be careful.) The key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" has one entry for each BHO installed in your system. All youll there is a GUID—a very large number displayed in hexadecimal—its a unique ID for that BHO. The easiest thing to do with it is to go to SpywareInfos list of all known Browser Helper Objects. They also provide a program called BHODemon to display and disable BHOs on your system.

So BHOs can be a good thing, but its clear that not all of them are trustworthy. Theyre already more of a problem than is generally recognized, and theyre going to need more attention in the future. Microsoft could start by adding a user interface to Add/Remove programs (perhaps into IEs Tools-Internet Options dialog) as a way of managing these things and requiring some accountability on their part. At least the user would have some more control.

Security Supersite Editor Larry Seltzer has worked in and written about the computer industry since 1983.

Rocket Fuel