Free Republic
Browse · Search
News/Activism
Topics · Post Article

Skip to comments.

Windows XP contains massive security hole
The Inquirer ^ | Wednesday 11 September 2002, 11:50 | Paul Hales

Posted on 09/11/2002 1:40:24 PM PDT by HAL9000

Windows XP contains massive security hole

Install the Service Pack and, shush, don't tell anyone...

MICROSOFT'S RUSH to get Windows XP SP1 out and about may have been motivated by a desire to hide a vulnerability afflicting the operating system (cough) that allows hackers to delete files from a computer accessing a tweaked web page.

According to this Spanish-language site, a Googled translation of which is here, "a defect in Windows XP allows that anyone can erase archives of our computer if click becomes on a connection maliciously constructed, as much when visiting a malignant Web site, like a receiving a message with format HTML". Sorry about the language, but you get the picture.

A reader writes a little more clearly that this vulnerability allows the files contained in any specified directory on your system to be deleted if you click on a specially-formed URL. He points to Gibson Research here, where they warn, "This URL could appear anywhere: sent in malicious eMail, in a chat room, in a newsgroup posting, on a malicious web page, or even executed when your computer merely visits a malicious web page. It is likely to be widely exploited soon."

This is a critical vulnerability and one Microsoft has done its best to keep secret, it seems.

Another reader tells us he saw a report on TechTV, the background to which they give here where they state that Microsoft has known about the flaw for some 11 weeks but kept the lid on it because it is so easy to exploit.

Microsoft urges Windows XP users to download the Service Pack and install it as quickly as possible. You can find that here . It's a large file, though, and CD versions are only available on the US and Canada at the moment, according to Microsoft.

The advice from various sources for users unable to install the Service Pack is to find and rename the affected file uplddrvinfo.htm. µ



TOPICS: News/Current Events; Technical
KEYWORDS: lowqualitycrap; microsoft; techindex; windows; xp
Navigation: use the links below to view more comments.
first previous 1-20 ... 41-6061-8081-100101-120 next last
To: theprogrammer
"Why are so many security breaches found in MS products?" The answer to this more reasonable question is easy, "Because there are more people looking for them."

Ok, then why have so many more vulnerabilities been found in IIS than Apache, even though Apache has a larger market share? It's true that all software is buggy. It's not true that all software is *equally* buggy.

81 posted on 09/11/2002 10:18:33 PM PDT by ThinkDifferent
[ Post Reply | Private Reply | To 59 | View Replies]

To: dheretic
EVERYBODY STOP FEEDING THIS...

What a language. I thought of replying to you, but your lack of civility does not warrant that.

82 posted on 09/11/2002 10:28:30 PM PDT by TopQuark
[ Post Reply | Private Reply | To 70 | View Replies]

To: All
Dear Lord.

A simple URL has the ability to delete files from the hard drive.

I'm not sure how many of ya'll are developers, but that is one *pathetic* piece of programming. There is simply no excuse for an error of that type, of that magnitude. That is people simply not caring about doing a good job.

For a wide variety of reasons, in a wide variety of ways, this is just unacceptable. At some point, MS is going to have to begin to be held accountable to the laws that prevent a merchant from selling a product that does not perform as advertised. They should be encouraged to perform a recall of all the copies currently on the shelves.

And just imagine what else is hidden there in plain sight?

83 posted on 09/11/2002 11:18:08 PM PDT by Dominic Harr
[ Post Reply | Private Reply | To 1 | View Replies]

To: SGCOS
...If you download the service pack, does that completely take care of the security problem?

Probably opens up 5 more security holes...

You're absolutely right. Every time I've downloaded a patch, I've made the problem worse.

What do you recommend for someone who has XP?

84 posted on 09/11/2002 11:29:32 PM PDT by my_pointy_head_is_sharp
[ Post Reply | Private Reply | To 23 | View Replies]

To: TopQuark
Oh, sorry. I only make a (damned good) living designing and writing software, so I guess I don't understand it. However, my customers would disagree with that vehemently. Sure, bugs happen. Unintended consequences happen. I do have more than a vague idea of development. But my post was in response to your saying that unless one has some idea of the process, one should just pay up and not complain (is that an adequate paraphrase of your question?). That's a damned silly claim, no matter what you think. If I had that attitude I would expect to be out of business within days.
85 posted on 09/12/2002 4:02:34 AM PDT by jammer
[ Post Reply | Private Reply | To 67 | View Replies]

To: HAL9000
Keyword: LOW QUALITY CRAP

LOL best one yet
86 posted on 09/12/2002 4:32:13 AM PDT by RWG
[ Post Reply | Private Reply | To 1 | View Replies]

To: jammer
people that demonstrate the absence of basic understanding of software design and project management

That is what I said in the post. "People" was addressed to someone else (reread my earlier posts if you care) that DID demonstrate the lack of basic understanding.

But my post was in response to your saying that unless one has some idea of the process, No, one has to know more than a process: one needs to know what difficulties exist in creating a specific product.

one should just pay up and not complain (is that an adequate paraphrase of your question?). No, it is not, as I actually said in the post to which you are replying. I said, "Naturally, you could blame the misfortune, the fact that things get old, etc. It is quite another, which is the case here, is to raise the accusatory finger at someone without a slightest reason."

So, you can see there was never a need to for you to assert your qualifications: I did not have any disagreement with what you said. But, without addressing this to YOU, let me add that programming is still young and exceptional. There are plenty of people that "write the software" -- various macros for Office environment or perform some queries in DB2 --- and are convinced that they know something about software design. Yet, most of these people have not even studied data structures or of deadlock avoidance. The fact that one writes programs for a living does not mean that he can, or even knows how to, write a compiler.

The argument "I know because I write software for a living" is as incorrect as "I can criticize the engine design because I drive for a living." One can be dissatisfied with the engine's power or frustrated when it breaks. But he acts an ignorant and spoiled brat when he declares, "I paid whole $150 for this engine; why didn't they make it a 500 HP one?"

To reiterate: this is not personal; you may well know how to write a compiler or implement reentrant code. But if you do, you know them not from writing software for clients.

87 posted on 09/12/2002 5:29:17 AM PDT by TopQuark
[ Post Reply | Private Reply | To 85 | View Replies]

To: AaronAnderson; rdb3
Thanks to both of you. I'll give it a try tonight when I get home from work.
88 posted on 09/12/2002 5:31:51 AM PDT by 6ppc
[ Post Reply | Private Reply | To 77 | View Replies]

To: HAL9000
Just out of idle curiosity...does the EULA for XP SP1 contain the terms that have been noted in recent MS EULAs for bug fixes? Those give MS the right to automatically update the OS software in ways that break applications. Don't believe me? Here's the text:
You agree that...Microsoft may provide security related updates to the OS Components that will be automatically downloaded onto your computer. These security related updates may disable your ability to copy and/or play Secure Content and use other software on your computer.
So...people used to complain when MS made a point of breaking competitors' software ("DOS isn't done until Lotus won't run"), but now, to get important updates to MS software, you have to agree that they have the right to break any applications you might be using.
89 posted on 09/12/2002 6:01:03 AM PDT by jejones
[ Post Reply | Private Reply | To 1 | View Replies]

To: TopQuark; Charlotte Corday
Charlotte said: Provide a fast, consistent, stable interface for disk, graphics, and peripheral access. That's about it.

I don't want my OS to be an all-purpose life enhancement tool.

Top Quark said: If MS were to develop a more specialized system tailored to your needs, it would be in the millions.

OK--I think there's a disconnect here. Charlotte is saying that the OS should provide ONLY a hardware interface, and TopQuark is saying that would cost millions, since they'd have to strip out all the applications MS currently piles on top.

Does that make any sense whatsoever?

90 posted on 09/12/2002 6:04:34 AM PDT by ShadowAce
[ Post Reply | Private Reply | To 64 | View Replies]

To: altair
Do you know what happens when you execute "rm -rf /" as root? I've done it twice before reinstalling...

I've done it once -- on a system I was going to wipe and rebuild -- just to see what it would do. Except for some stuff in /dev and /proc it cleaned that disk real nice... but then the thing just wouldn't shut down right after that... ;-)

"rm -rfv [dirspec]" is handy to clean out and delete a subdirectory, but you had better type that dirspec carefully and make sure you say what you mean.

91 posted on 09/12/2002 6:47:20 AM PDT by TechJunkYard
[ Post Reply | Private Reply | To 68 | View Replies]

To: my_pointy_head_is_sharp
What do you recommend for someone who has XP?

My advice to you is to start drinking heavily.


92 posted on 09/12/2002 7:31:02 AM PDT by Richard Kimball
[ Post Reply | Private Reply | To 84 | View Replies]

To: general_re
Re: #66

AIX? SMIT is my friend!

93 posted on 09/12/2002 7:40:21 AM PDT by Michael Barnes
[ Post Reply | Private Reply | To 66 | View Replies]

To: unix
SMIT is everyone's friend. SMIT is the sh*t - what could be easier than smitty update_all? ;)
94 posted on 09/12/2002 7:46:20 AM PDT by general_re
[ Post Reply | Private Reply | To 93 | View Replies]

To: general_re
smitty update_all cron'd? ;)
95 posted on 09/12/2002 7:49:39 AM PDT by Michael Barnes
[ Post Reply | Private Reply | To 94 | View Replies]

To: unix
Well, there is that. Just don't forget to "explain" to the boss how it's your deep knowledge of black magic that keeps everything running, and try to look busy with all your free time ;)
96 posted on 09/12/2002 7:56:52 AM PDT by general_re
[ Post Reply | Private Reply | To 95 | View Replies]

To: toupsie
Get a clue. There are more operating systems out there than Windows and Mac OS. You choose one, I choose many.

You are correct, there are more. And it seems to me that all Mac Power users also admit they have Windows, Linux, and other boxes running as well. If the Mac is the be-all, end-all, why do you use other stuff? I have a Win 2000 box and will soon build another. That's it.

If Apple would sell the parts for me to build my own system, and if developers would introduce more software for the Mac OS X, I'd switch in a second.

97 posted on 09/12/2002 8:01:38 AM PDT by 1L
[ Post Reply | Private Reply | To 63 | View Replies]

To: JackOfVA
Only restarts are when necessary after downloading OS or program updates.

Wow. I never have to reboot my Slackware box.
To each his own, I guess.
But don't you think it odd that you have to turn a computer off to install software? Isn't that bad for the board?
98 posted on 09/12/2002 8:24:29 AM PDT by dyed_in_the_wool
[ Post Reply | Private Reply | To 50 | View Replies]

To: general_re
every once in a while, Windows is the best tool for a given job

Absolutely.
Just a.)Don't keep it connected to the Net. and b.)Don't expect any data to be secure (from either your neighbor or from MicroSoft.)
The last point is important because they reserve the right with the latest patch to inspect your hard drive and delete anything they think you don't have rights to.
But hey, you're cool with that.
99 posted on 09/12/2002 8:39:52 AM PDT by dyed_in_the_wool
[ Post Reply | Private Reply | To 80 | View Replies]

To: dyed_in_the_wool
The last point is important because they reserve the right with the latest patch to inspect your hard drive and delete anything they think you don't have rights to.

Turn off automatic updating. Oops, did I get in the way of your paranoia?

100 posted on 09/12/2002 8:47:00 AM PDT by general_re
[ Post Reply | Private Reply | To 99 | View Replies]


Navigation: use the links below to view more comments.
first previous 1-20 ... 41-6061-8081-100101-120 next last

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
News/Activism
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson