Vulnerability Note VU#260588

Microsoft Windows Help and Support Center (HCP) fails to validate HCP URLs

Original Release date: 14 Apr 2004 | Last revised: 14 Apr 2004


A remotely exploitable vulnerability exists in the Help and Support Center (HCP). An attacker could compromise the victim's system by tricking them into visiting a malicious web site, or viewing a malicious email message.


A failure to filter special characters, such as quotes, from HCP URLs could lead to inject code into the . By tricking a victim in to visiting a malicious web site, or viewing a malicious email, the remote attacker could exploit this vulnerability to remotely execute code in the "MyComputer" zone. The following systems are affected by this issue:

  • Windows XP
  • Windows Server 2003


A remote attacker could exploit this vulnerability to execute code in the "MyComputer" zone with the privileges of the current user.


Apply a patch from the vendor

Microsoft Security Bulletin MS04-011 contains patch information to resolve this issue.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
Microsoft CorporationAffected-14 Apr 2004
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A



Thanks to Jouko Pynnönen for reporting this vulnerability.

This document was written by Jason A Rafail.

Other Information

  • CVE IDs: CAN-2003-0907
  • Date Public: 13 Apr 2004
  • Date First Published: 14 Apr 2004
  • Date Last Updated: 14 Apr 2004
  • Severity Metric: 35.10
  • Document Revision: 2


If you have feedback, comments, or additional information about this vulnerability, please send us email.