Browser Helper Object

Last updated May 12, 2024

A Browser Helper Object (BHO) is a DLL module designed as a plugin for the Microsoft Internet Explorer web browser to provide added functionality. BHOs were introduced in October 1997 with the release of version 4 of Internet Explorer. Most BHOs are loaded once by each new instance of Internet Explorer. However, in the case of Windows Explorer, a new instance is launched for each window.

Implementation

Each time a new instance of Internet Explorer starts, it checks the Windows Registry for the key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects. If Internet Explorer finds this key in the registry, it looks for a CLSID key listed below the key. The CLSID keys under Browser Helper Objects tell the browser which BHOs to load. Removing the registry key prevents the BHO from being loaded. For each CLSID that is listed below the BHO key, Internet Explorer calls CoCreateInstance to start the instance of the BHO in the same process space as the browser. If the BHO is started and implements the IObjectWithSite interface, it can control and receive events from Internet Explorer. BHOs can be created in any language that supports COM.^[1]

Examples

Some modules enable the display of different file formats not ordinarily interpretable by the browser. The Adobe Acrobat plug-in that allows Internet Explorer users to read PDF files within their browser is a BHO.

Other modules add toolbars to Internet Explorer, such as the Alexa Toolbar that provides a list of web sites related to the one you are currently browsing, or the Google Toolbar that adds a toolbar with a Google search box to the browser user interface.

The Conduit toolbars are based on a BHO that can be used on Internet Explorer 7 and up. This BHO provides a search facility that connects to Microsoft's Bing search.

Concerns

The BHO API exposes hooks that allow the BHO to access the Document Object Model (DOM) of the current page and to control navigation. Because BHOs have unrestricted access to the Internet Explorer event model, some forms of malware (such as adware and spyware) have also been created as BHOs.^[2]^[3]

For example, the Download.ject malware is a BHO that is activated when a secure HTTP connection is made to a financial institution, then begins to record keystrokes for the purpose of capturing user passwords. The MyWay Searchbar tracks users' browsing patterns and passes the information it records to third parties. The C2.LOP malware adds links and popups of its own to web pages in order to drive users to pay-per-click websites.^{[ citation needed ]}

Many BHOs introduce visible changes to a browser's interface, such as installing toolbars in Internet Explorer and the like, but others run without any change to the interface. This renders it easy for malicious coders to conceal the actions of their browser add-on, especially since, after being installed, the BHO seldom requires permission before performing further actions. For instance, variants of the ClSpring trojan use BHOs to install scripts to provide a number of instructions to be performed such as adding and deleting registry values and downloading additional executable files, all completely transparently to the user.^[4]

In response to the problems associated with BHOs and similar extensions to Internet Explorer, Microsoft debuted an Add-on Manager in Internet Explorer 6 with the release of Service Pack 2 for Windows XP (updating it to IE6 Security Version 1, a.k.a. SP2). This utility displays a list of all installed BHOs, browser extensions and ActiveX controls, and allows the user to enable or disable them at will. There are also free tools (such as BHODemon) that list installed BHOs and allow the user to disable malicious extensions. Spybot S&D advanced mode has a similar tool built in to allow the user to disable installed BHO.

Related Research Articles

Internet Explorer is a retired series of graphical web browsers developed by Microsoft that were used in the Windows line of operating systems. While IE has been discontinued on most Windows editions, it remains supported on certain editions of Windows, such as Windows 10 LTSB/LTSC. Starting in 1995, it was first released as part of the add-on package Plus! for Windows 95 that year. Later versions were available as free downloads or in-service packs and included in the original equipment manufacturer (OEM) service releases of Windows 95 and later versions of Windows. Microsoft spent over US$100 million per year on Internet Explorer in the late 1990s, with over 1,000 people involved in the project by 1999. New feature development for the browser was discontinued in 2016 and ended support on June 15, 2022 for Windows 10 Semi-Annual Channel (SAC), in favor of its successor, Microsoft Edge.

Visual Basic for Applications (VBA) is an implementation of Microsoft's event-driven programming language Visual Basic 6.0 built into most desktop Microsoft Office applications. Although based on pre-.NET Visual Basic, which is no longer supported or updated by Microsoft, the VBA implementation in Office continues to be updated to support new Office features. VBA is used for professional and end-user development due to its perceived ease-of-use, Office's vast installed userbase, and extensive legacy in business.

File Explorer, previously known as Windows Explorer, is a file manager application and default desktop environment that is included with releases of the Microsoft Windows operating system from Windows 95 onwards. It provides a graphical user interface for accessing the file systems, as well as user interface elements such as the taskbar and desktop.

In computing, Download.ject is a malware program for Microsoft Windows servers. When installed on an insecure website running on Microsoft Internet Information Services (IIS), it appends malicious JavaScript to all pages served by the site.

This is a comparison of both historical and current web browsers based on developer, engine, platform(s), releases, license, and cost.

<span class="mw-page-title-main">Microsoft Defender Antivirus</span> Anti-malware software

Microsoft Defender Antivirus is an antivirus software component of Microsoft Windows. It was first released as a downloadable free anti-spyware program for Windows XP and was shipped with Windows Vista and Windows 7. It has evolved into a full antivirus program, replacing Microsoft Security Essentials in Windows 8 or later versions.

Mozilla Firefox has features which distinguish it from other web browsers, such as Google Chrome, Safari, and Microsoft Edge.

Windows Internet Explorer 7 (IE7) is a web browser for Windows. It was released by Microsoft on October 18, 2006, as the seventh version of Internet Explorer and the successor to Internet Explorer 6. Internet Explorer 7 is part of a long line of versions of Internet Explorer and was the first major update to the browser since 2001. It was the default browser in Windows Vista and Windows Server 2008, as well as Windows Embedded POSReady 2009, and can replace Internet Explorer 6 on Windows XP and Windows Server 2003, but unlike version 6, this version does not support Windows 2000, Windows ME, or earlier versions of Windows. It also does not support Windows 7, Windows Server 2008 R2 or later Windows Versions.

AutoRun and the companion feature AutoPlay are components of the Microsoft Windows operating system that dictate what actions the system takes when a drive is mounted.

As the next version of Windows NT after Windows 2000, as well as the successor to Windows Me, Windows XP introduced many new features but it also removed some others.

The Windows Metafile vulnerability—also called the Metafile Image Code Execution and abbreviated MICE—is a security vulnerability in the way some versions of the Microsoft Windows operating system handled images in the Windows Metafile format. It permits arbitrary code to be executed on affected computers without the permission of their users. It was discovered on December 27, 2005, and the first reports of affected computers were announced within 24 hours. Microsoft released a high-priority update to eliminate this vulnerability via Windows Update on January 5, 2006. Attacks using this vulnerability are known as WMF exploits.

Microsoft Management Console (MMC) is a component of Microsoft Windows that provides system administrators and advanced users an interface for configuring and monitoring the system. It was first introduced in 1998 with the Option Pack for Windows NT 4.0 and later came pre-bundled with Windows 2000 and its successors.

The Windows shell is the graphical user interface for the Microsoft Windows operating system. Its readily identifiable elements consist of the desktop, the taskbar, the Start menu, the task switcher and the AutoPlay feature. On some versions of Windows, it also includes Flip 3D and the charms. In Windows 10, the Windows Shell Experience Host interface drives visuals like the Start Menu, Action Center, Taskbar, and Task View/Timeline. However, the Windows shell also implements a shell namespace that enables computer programs running on Windows to access the computer's resources via the hierarchy of shell objects. "Desktop" is the top object of the hierarchy; below it there are a number of files and folders stored on the disk, as well as a number of special folders whose contents are either virtual or dynamically created. Recycle Bin, Libraries, Control Panel, This PC and Network are examples of such shell objects.

Kiosk software is the system and user interface software designed for an interactive kiosk or Internet kiosk enclosing the system in a way that prevents user interaction and activities on the device outside the scope of execution of the software. This way, the system replaces the look and feel of the system it runs over, allowing for customization and limited offering of ad-hoc services. KioskTotal Kiosk software locks down the application in order to protect the kiosk from users which is specially relevant under, but not only limited to, scenarios where the device is publicly accessed such libraries, vending machines or public transport. Kiosk software may offer remote monitoring to manage multiple kiosks from another location. An Email or text alert may be automatically sent from the kiosk for daily activity reports or generated in response to problems detected by the software. Other features allow for remote updates of the kiosk's content and the ability to upload data such as kiosk usage statistics. Kiosk software is used to manage a touchscreen, allowing users to touch the monitor screen to make selections. A virtual keyboard eliminates the need for a computer keyboard. Kiosk software enables digital signage devices to operate in a dedicated mode, ensuring that the devices run for a specified purpose, thus providing additional security compared to normal mode use.

A browser toolbar is a toolbar that resides within a browser's window. All major web browsers provide support to browser toolbar development as a way to extend the browser's GUI and functionality. Browser toolbars are considered to be a particular kind of browser extensions that present a toolbar. Browser toolbars are specific to each browser, which means that a toolbar working on a browser does not work on another one. All browser toolbars must be installed in the corresponding browser before they can be used and require updates when new versions are released.

Windows Internet Explorer 8 (IE8) is a web browser for Windows. It was released by Microsoft on March 19, 2009, as the eighth version of Internet Explorer and the successor to Internet Explorer 7. It was the original, default browser in Windows 7 and Windows Server 2008 R2, before Internet Explorer 11 was introduced.

Internet Explorer 9 or IE9 is the ninth version of the Internet Explorer web browser for Windows. It was released by Microsoft on March 14, 2011, as the ninth version of Internet Explorer and the successor to Internet Explorer 8. Microsoft released Internet Explorer 9 as a major out-of-band version that was not tied to the release schedule of any particular version of Windows, unlike previous versions. It is the first version of Internet Explorer not to be bundled with a Windows operating system, although some OEMs have installed it with Windows 7 on their PCs. Internet Explorer 9 is the last version that is called Windows Internet Explorer. The software was rebranded simply as Internet Explorer starting in 2012 with the release of Internet Explorer 10.

Component Object Model (COM) is a binary-interface standard for software components introduced by Microsoft in 1993. It is used to enable inter-process communication (IPC) object creation in a large range of programming languages. COM is the basis for several other Microsoft technologies and frameworks, including OLE, OLE Automation, Browser Helper Object, ActiveX, COM+, DCOM, the Windows shell, DirectX, UMDF and Windows Runtime.

Browser security is the application of Internet security to web browsers in order to protect networked data and computer systems from breaches of privacy or malware. Security exploits of browsers often use JavaScript, sometimes with cross-site scripting (XSS) with a secondary payload using Adobe Flash. Security exploits can also take advantage of vulnerabilities that are commonly exploited in all browsers.

References

↑ Roberts Scott, Programming Microsoft Internet Explorer 5, Microsoft Press, 1999, ISBN 0-7356-0781-8
↑ "Browser Hijack Objects (BHOs)". Malwarebytes Labs. Retrieved 2021-12-05.
↑ Park, Beomsoo; Hong, Sungjin; Oh, Jaewook; Lee, Heejo (2005). Kantor, Paul; Muresan, Gheorghe; Roberts, Fred; Zeng, Daniel D.; Wang, Fei-Yue; Chen, Hsinchun; Merkle, Ralph C. (eds.). "Defending a Web Browser Against Spying with Browser Helper Objects". Intelligence and Security Informatics. Lecture Notes in Computer Science. Berlin, Heidelberg: Springer: 638–639. doi:10.1007/11427995_85. ISBN 978-3-540-32063-0.
↑ Computer Associates malware entry at ca.com, retrieved 1/16/2009

External links

Sites.google.com Archived 2014-12-24 at the Wayback Machine

Microsoft sites

IEHelper-Attaching to Internet Explorer 4.0 by Using a Browser Helper Object
Control Internet Explorer Add-ons with Add-on Manager –an article on Microsoft.com that explains this new feature of Windows XP Service Pack 2
Building Browser Helper Objects with Visual Studio 2005 –an October 2006 MSDN article by Tony Schreiner and John Sudds

Listings and examples

CLSID List –master list created by Tony Kleinkramer, which attempts to record and identify every BHO available (previously located at –the now defunct – castlecops.com) –also includes Toolbar, Explorer Bar and URLSearchHook GUIDs
C++ example code for a BHO
C# example code for a BHO

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[1] Roberts Scott, Programming Microsoft Internet Explorer 5, Microsoft Press, 1999, ISBN 0-7356-0781-8

[2] "Browser Hijack Objects (BHOs)". Malwarebytes Labs. Retrieved 2021-12-05.

[3] Park, Beomsoo; Hong, Sungjin; Oh, Jaewook; Lee, Heejo (2005). Kantor, Paul; Muresan, Gheorghe; Roberts, Fred; Zeng, Daniel D.; Wang, Fei-Yue; Chen, Hsinchun; Merkle, Ralph C. (eds.). "Defending a Web Browser Against Spying with Browser Helper Objects". Intelligence and Security Informatics. Lecture Notes in Computer Science. Berlin, Heidelberg: Springer: 638–639. doi:10.1007/11427995_85. ISBN 978-3-540-32063-0.

[4] Computer Associates malware entry at ca.com, retrieved 1/16/2009

[1]

[2]

[3]

[4]

v t e Information security
Related security categories	Computer security Automotive security Cybercrime Cybersex trafficking Computer fraud Cybergeddon Cyberterrorism Cyberwarfare Electromagnetic warfare Information warfare Internet security Mobile security Network security Copy protection Digital rights management	vectorial version
Threats	Adware Advanced persistent threat Arbitrary code execution Backdoors Hardware backdoors Code injection Crimeware Cross-site scripting Cross-site leaks DOM clobbering History sniffing Cryptojacking Botnets Data breach Drive-by download Browser Helper Objects Viruses Data scraping Denial-of-service attack Eavesdropping Email fraud Email spoofing Exploits Hacktivism Insecure direct object reference Keystroke loggers Logic bombs Time bombs Fork bombs Zip bombs Fraudulent dialers Malware Payload Phishing Voice Polymorphic engine Privilege escalation Ransomware Rootkits Scareware Shellcode Spamming Social engineering Spyware Software bugs Trojan horses Hardware Trojans Remote access trojans Vulnerability Web shells Wiper Worms SQL injection Rogue security software Zombie
Defenses	Application security Secure coding Secure by default Secure by design Misuse case Computer access control Authentication Multi-factor authentication Authorization Computer security software Antivirus software Security-focused operating system Data-centric security Obfuscation (software) Data masking Encryption Firewall Intrusion detection system Host-based intrusion detection system (HIDS) Anomaly detection Security information and event management (SIEM) Mobile secure gateway Runtime application self-protection Site isolation

v t e Microsoft APIs and frameworks
Graphics and UI	Desktop Window Manager Direct2D Direct3D D3D (extensions) GDI / GDI+ WPF Silverlight WinUI Windows Color System Windows Image Acquisition Windows Imaging Component DirectX Graphics Infrastructure (DXGI) Windows Advanced Rasterization Platform WinG
Audio	DirectMusic DirectSound DirectX plugin XACT Speech API XAudio2
Multimedia	DirectX Media Objects Video Acceleration Xinput DirectInput DirectShow Image Mastering API Managed DirectX Media Foundation XNA Windows Media Video for Windows
Web	MSHTML RSS Platform JScript VBScript BHO XDR SideBar Gadgets TypeScript
Data access	Data Access Components (MDAC) ADO ADO.NET ODBC OLE DB Extensible Storage Engine Entity Framework Sync Framework Access Database Engine MSXML OPC
Networking	Winsock LSP Winsock Kernel Filtering Platform NDIS Windows Rally BITS P2P API MSMQ MS MPI DirectPlay
Communication	Messaging API Telephony API WCF
Administration and management	Win32 console Windows Script Host WMI (extensions) PowerShell Task Scheduler Offline Files Shadow Copy Windows Installer Error Reporting Event Log Common Log File System
Component model	COM COM+ ActiveX Distributed Component Object Model .NET Framework
Libraries	Framework Class Library Microsoft Foundation Classes (MFC) Active Template Library (ATL) Windows Template Library (WTL)
Device drivers	WDM WDF KMDF UMDF WDDM NDIS UAA BDA VxD
Security	Crypto API CAPICOM Windows CardSpace Data Protection API Security Support Provider Interface (SSPI)
.NET	ASP.NET ADO.NET Remoting Silverlight TPL WCF WCS WPF WF
Software factories	EFx Factory Enterprise Library Composite UI CCF CSF
IPC	MSRPC Dynamic Data Exchange (DDE) Remoting WCF
Accessibility	Active Accessibility UI Automation
Text and multilingual support	DirectWrite Text Services Framework Text Object Model Input method editor Language Interface Pack Multilingual User Interface Uniscribe