The MS HTML Help control activex is prone to a remote CHM help file hijack vulnerability when applications invoke help. Multiple built-in applications are vulnerable to this. The impact of the vulnerability is the loading of the incorrect CHM help file when it resides in the same directory the application invoking help starts in. This proof of concept exploit leverages Notepad to demonstrate the vulnerability.
d554dfbaf395542e7dbce75391389ccf6d9ee1129f374497120bd915602e661e