In order to address a publicly disclosed flaw in the Windows Help and Support Center function, a vulnerability that affects only Windows XP and Windows Server 2003, Microsoft has issued Security Advisory, 2219475.

The vulnerability failed to make the list of the 34 flaws that Microsoft fixed in its June Patch Tuesday that included ten security bulletins.

The flaw was first discovered a Google security researcher on June 4, and publicly disclosed on June 9. The researcher reported that a help page with a cross-site scripting bug can be paired with a mechanism that can abuse the allow-list functionality for accessing that page with an exploit querystring.

As such, the clicking on a malicious hcp:// link, in Windows XP and Windows Server 2003, leverages the XSS vulnerability that circumvents helpctr. exe’s safety controls and finally run an arbitrary executable on the system.

Noting that the XP’s installed base is huge because consumers as well as businesses use it extensively, Andrew Storms, director of security operations for nCircle, points out: “The bad news on this zero-day is that all users of Windows XP are affected, and the vulnerability makes drive-by attacks possible.”

Meanwhile, along with issuing the security advisory, Microsoft has also detailed a workaround for the issue – that is, unregistering the HCP Protocol; which includes the editing the registry. This, as per Microsoft, can prevent the flaw from being exploited on the affected systems.