Windows Help Center CVE-2010-1885
CRITICALCVSS VectorNVD
AV:N/AC:M/Au:N/C:C/I:C/A:C
Lifecycle Timeline
5DescriptionNVD
The MPC::HexToNum function in helpctr.exe in Microsoft Windows Help and Support Center in Windows XP and Windows Server 2003 does not properly handle malformed escape sequences, which allows remote attackers to bypass the trusted documents whitelist (fromHCP option) and execute arbitrary commands via a crafted hcp:// URL, aka "Help Center URL Validation Vulnerability."
AnalysisAI
Remote code execution in Windows Help and Support Center (helpctr.exe) on Windows XP and Server 2003 allows unauthenticated attackers to bypass URL validation and execute arbitrary commands via crafted hcp:// URLs. The MPC::HexToNum function fails to properly validate escape sequences, enabling attackers to circumvent the trusted documents whitelist. EPSS indicates 92.20% exploitation probability with publicly available exploit code. Microsoft addressed this via MS10-042 in July 2010 after public disclosure in June 2010.
Technical ContextAI
The vulnerability exists in the MPC::HexToNum function within helpctr.exe, the executable for Windows Help and Support Center. This component processes hcp:// protocol URLs with a 'fromHCP' option designed to whitelist trusted documents. The flaw involves improper parsing of hexadecimal escape sequences in URL parameters, classified as CWE-78 (OS Command Injection). When malformed escape sequences are encountered, the validation logic fails to detect malicious payloads embedded in the URL. The affected CPE data identifies Windows XP SP2/SP3 (x86 and x64) and Windows Server 2003 SP2 (x86 and Itanium) across all editions. This represents legacy Windows platforms where the Help Center was a core system component using the proprietary hcp:// protocol handler for local help content.
RemediationAI
Apply Microsoft Security Bulletin MS10-042 released July 13, 2010, which provides official patches for all affected Windows XP and Server 2003 versions (available at https://docs.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-042). For systems unable to immediately patch, Microsoft Advisory 2219475 documented a workaround involving unregistering the HCP protocol handler via the command 'regsvr32 /u %windir%\PCHealth\HelpCtr\Binaries\msinfo.dll' followed by 'regsvr32 /u %windir%\PCHealth\HelpCtr\Binaries\helpctr.exe'. This workaround disables Help Center functionality entirely, preventing legitimate help access-acceptable only as temporary risk mitigation. Additional compensating control: block hcp:// protocol URLs at network perimeter through web proxy URL filtering and email gateway attachment/link scanning, though this does not prevent exploitation via removable media or already-present malicious files. Given that Windows XP and Server 2003 reached end-of-life in 2014 and 2015 respectively, the primary long-term remediation is migration to supported operating systems, as these platforms no longer receive security updates through standard channels.
More from same product – last 7 days
Remote code execution in Microsoft Azure Orbital Spatio allows unauthenticated network attackers to upload dangerous fil
Unsafe deserialization in Microsoft Planetary Computer Pro (Geocatalog) lets a remote unauthenticated attacker craft mal
Remote code execution in Microsoft Power Pages allows unauthenticated network attackers to inject and execute operating-
Privilege elevation in Microsoft Azure Resource Manager (ARM) allows remote unauthenticated attackers to bypass authenti
Privilege escalation in Microsoft Entra ID enables remote unauthenticated attackers to bypass origin validation and gain
Share
External POC / Exploit Code
Leaving vuln.today