Windows XP contains massive security hole

The Inquirer ^ | Wednesday 11 September 2002, 11:50 | Paul Hales

[HAL9000]

Windows XP contains massive security hole

Install the Service Pack and, shush, don't tell anyone...

MICROSOFT'S RUSH to get Windows XP SP1 out and about may have been motivated by a desire to hide a vulnerability afflicting the operating system (cough) that allows hackers to delete files from a computer accessing a tweaked web page.

According to this Spanish-language site, a Googled translation of which is here, "a defect in Windows XP allows that anyone can erase archives of our computer if click becomes on a connection maliciously constructed, as much when visiting a malignant Web site, like a receiving a message with format HTML". Sorry about the language, but you get the picture.

A reader writes a little more clearly that this vulnerability allows the files contained in any specified directory on your system to be deleted if you click on a specially-formed URL. He points to Gibson Research here, where they warn, "This URL could appear anywhere: sent in malicious eMail, in a chat room, in a newsgroup posting, on a malicious web page, or even executed when your computer merely visits a malicious web page. It is likely to be widely exploited soon."

This is a critical vulnerability and one Microsoft has done its best to keep secret, it seems.

Another reader tells us he saw a report on TechTV, the background to which they give here where they state that Microsoft has known about the flaw for some 11 weeks but kept the lid on it because it is so easy to exploit.

Microsoft urges Windows XP users to download the Service Pack and install it as quickly as possible. You can find that here . It's a large file, though, and CD versions are only available on the US and Canada at the moment, according to Microsoft.

The advice from various sources for users unable to install the Service Pack is to find and rename the affected file uplddrvinfo.htm. µ

[jude24]

I havent seen WinXP do that yet. Win2k used to occasionally.

[JackOfVA]

LOL! I downloaded SP1 for XP pro, and now my computer reboots whenever it want's to. It's done it 3 times today so far.

I installed SP1 for XP Pro yesterday and see no indications of problems. I'm using a Compaq 5330US 1.7 GHz machine with 512M of RAM. XP Pro on this machine has been quite stable before SP1 and so far (fingers crossed) no adverse results from SP1.

Jack

[SGCOS]

...If you download the service pack, does that completely take care of the security problem?

Probably opens up 5 more security holes...

[zeromus]

By default XP is set to restart anytime you would have gotten a BSOD in a previous version of Windows. Stupid design decision.

I disagree; smart design decision. Now your machine can reboot and perhaps start serving its role again without requiring operator intervention, and the content of the BSOD diagnostic messages are thrown in the system log.

[general_re]

By default XP is set to restart anytime you would have gotten a BSOD in a previous version of Windows. Stupid design decision.

You'd rather have your server just sort of hanging out and doing nothing than restart and get back to work? Huh....

To each his own, I guess...

[TopQuark]

Why are there products so vulnerable to security breaches? Because it is theoretically impossible to debug a large program.

It is amazing that there are relatively few bugs, and updates are coming up regularly.

Now, given your impatience with MS, how many operating systems have you written?

[Cicero]

I also installed SP-1 with no problems. I have found WinXP to be my favorite MS OS so far, although Win2000 is also stable.

[chaosagent]

According to The Screensavers on TechTV, this hole is very easy to fix without downloading SP1.

Search your machine for a file called "uplddrvinfo.htm".

Change the filename to anything else., i.e. "uplddrvinfo.htmOLD".

Reboot.

Bang! You're done.

This only applies to XP machines.

[zeromus]

By default XP is set to restart anytime you would have gotten a BSOD in a previous version of Windows. Stupid design decision.

I disagree; smart design decision. Now your machine can reboot and perhaps start serving its role again without requiring operator intervention, and the content of the BSOD diagnostic messages are thrown in the system log.

[chaosagent]

Well, that will teach me not to read the very last line of the article.

It's in there too.

[HAL9000]

I downloaded iCal yesterday too. It's pretty cool. I subscribed to the DVD release dates calendar, and added automatic reminders to take out the trash.

I'm looking forward to iSync later this month.

[Darkshadow]

It's kind of... a bummer

[wbill]

What in heck is wrong with Microsoft? Why are there products so vulnerable to security breaches?

Because Bill Gates is on the top of the mountain and every hacker in the world wants to kick him off. If everyone was focusing on Apple, problems would be exposed there, too.

There's no such thing as a hack-proof system...there's always a better hacker. The only way to make a system completely secure is to disconnect it from any form of network communication. And even then, you need to worry about securing the room.

[Jalapeno]

Windows XP contains massive security hole

Just one?

[toupsie]

You'd rather have your server just sort of hanging out and doing nothing than restart and get back to work? Huh....

Servers shouldn't "hang" in the first place! Is that a normal experience with Windows servers?

[toupsie]

Because Bill Gates is on the top of the mountain and every hacker in the world wants to kick him off. If everyone was focusing on Apple, problems would be exposed there, too.

Sorry but Microsoft has admitted that Windows was not designed with security in mind. Its not market share that is Microsoft's problem with Windows, its the design. VP Valentine said as much in a speech. The market share excuse is a worn out Microsoft marketing ploy.

[savedbygrace]

bump for later read

[Charlotte Corday]

Now, given your impatience with MS, how many operating systems have you written?

I confess I haven't written any.

On the other hand, MS has written SIX PC OS's (95, NT4, 98, ME, 2000, XP) in the last seven years.

Eight if you count 98SE and the two flavors of XP.

I guess that makes them better.

Or something.

[phalynx]

humm, I wonder about this. It seems to me that I read that SP1 of XP allows MS to be able to deactivate any product, software, filetype, etc... at any given time. I recall reading this in the latest publications and that it is stated in the new License Agreement. It is also a "feature" in W2K SP3.... I think I will not upgrade.

[TopQuark]

I guess that makes them better. And they are if you reflect what "better" means.

However, "better" and "bug-free" are two different aspects of a product.

I guess, I have to say it straighforwardly: when one formulates expectations (such as seeing the bug-free software) one needs to know what is involved in the creation of the product.

We've built a lot of highways, and still have accidents on them. Think about that analogy.