This is the Trace Id: e2c507c8cc96faa95a0d7a3f0b12c825
Skip to main content Report Security Vulnerability Report Abuse Report Infringement Submission FAQs Reporting Vulnerability Security Update Guide Exploitability index Developer API documentation Frequently Asked Questions Technical Security Notifications Glossary Microsoft Bug Bounty Programs Microsoft Active Protections Program BlueHat Security Conference Researcher Recognition Program Windows Security Servicing Criteria Researcher Resource Center Microsoft Security Response Center Security Research & Defense BlueHat Conference Blog Security Researcher Acknowledgments Online Services Researcher Acknowledgments AI Safety Acknowledgements Security Researcher Leaderboard

Help and Support Center vulnerability full-disclosure posting

Security Research & Defense
/ By swiat /

Yesterday evening, one of Google’s security researchers publicly released vulnerability details and a working exploit for an unpatched vulnerability in Windows XP and Windows Server 2003. This afternoon, we’ve released security advisory 2219475 with official guidance. We’d like to use this blog entry to share more details about the issue and ways you can protect yourself.

The vulnerability

Firstly, Windows 7, Windows Server 2008, Windows Vista, and Windows 2000 are not impacted by this vulnerability. Those platforms do not include the Help and Support Center application, which contains this vulnerability.

However, Windows XP and Windows Server 2003 do include the Help and Support Center application (helpctr.exe). On those platforms, clicking on an hcp:// link launches helpctr.exe via a registered protocol handler. Launching the Help and Support Center via an hcp:// link is normally safe and is a supported way to launch help content. This is due in part to an “allow list” of safe pages that Help and Support Center checks before navigating to a passed-in page. The Google security researcher found a help page with a cross-site scripting vulnerability and also a mechanism by which to abuse the allow list functionality to access that page with an exploit querystring. Clicking on a malicious hcp:// link leverages the XSS vulnerability to circumvent helpctr.exe’s safety controls and ultimately run an arbitrary exe installed on the machine.

It’s also important to note that while Windows Server 2003 does include helpctr.exe and the hcp:// protocol handler, the specific exploit posted by the Google security researcher does not result in code execution on Windows Server 2003. We are still investigating this and have not yet ruled out the possibility of code execution.

How to Protect Yourself

The full-disclosure advisory included a hotfix tool built by the Google security researcher. Unfortunately it is ineffective at preventing the vulnerable code from being reached and can be easily bypassed. We recommend not counting on the Google hotfix tool for protection from the issue.

The best workaround is to unregister the hcp:// protocol handler. Doing so will prevent the chain-of-events that leads to the code execution. Here is a registry script to disable the protocol handler:

Windows Registry Editor Version 5.00

[-HKEY_CLASSES_ROOT\HCP]

Pasting this into a .reg file and opening with regedt32 will disable the hcp:// protocol handler. You can find the interactive steps and the rollback instructions in the security advisory.

The Help and Support Center does use hcp:// links internally so temporarily disabling the protocol handler may impact Help and Support Center’s ability to, for example, initiate Remote Assistance requests.

We are actively working on a security update to comprehensively address the issue. We are also working on a Microsoft FixIt to automate disabling the hcp:// protocol handler.

Thanks to the MSRC Engineering team for the quick investigation of this issue: David Ross, Chengyun Chu, Bruce Dang, Andrew Roths, and Jonathan Ness.

*Posting is provided “AS IS” with no warranties, and confers no rights.*

Surface Pro Surface Laptop Surface Laptop Ultra Surface RTX Spark Dev Box Copilot for organizations Copilot for personal use Explore Microsoft products Windows 11 apps Account profile Download Center Microsoft Store support Returns Order tracking Certified Refurbished Microsoft Store Promise Flexible Payments Microsoft in education Devices for education Microsoft Teams for Education Microsoft 365 Education How to buy for your school Educator training and development Deals for students and parents AI for education
Microsoft AI Microsoft Security Dynamics 365 Microsoft 365 Microsoft Power Platform Microsoft Teams Microsoft 365 Copilot Small Business Azure Microsoft Developer Microsoft Learn Support for AI marketplace apps Microsoft Tech Community Microsoft Marketplace Software companies Visual Studio Careers About Microsoft Company news Privacy at Microsoft Investors Diversity and inclusion Accessibility Sustainability
English (United States)
Your Privacy Choices Opt-Out Icon Your Privacy Choices
Consumer Health Privacy Sitemap Contact Microsoft Privacy Manage cookies Terms of use Trademarks Safety & eco Recycling About our ads