Here we go again ~~ Huge & Extremely Serious Security Hole in Windows XP: Please read & update immediately!

[AnandTech Moderator]

Here we go again ~~ Huge & Extremely Serious Security Hole in Windows XP: Please read & update immediately!


Monday night, Tech TV announced an extremely serious security flaw with ALL Windows XP installations. This does not affect other Windows operating systems, such as Windows 98, Me, NT or 2000. Leo Laporte of The Screen Savers demonstrated how this could wipe out entire directories.

Microsoft has reportedly known about this security hole for 11 weeks. Thankfully, no nefarious characters have taken advantage of it yet (but they no doubt will, and soon, now that it?s been announced).

Simply opening a web site or email (or even using a chat room) may wipe out entire directories on any Windows XP computer (such as your Documents folder).

From the Gibson Research site:

This vulnerability allows the files contained in any specified directory on your system to be deleted if you click on a specially formed URL. This URL could appear anywhere: sent in malicious eMail, in a chat room, in a newsgroup posting, on a malicious web page, or even executed when your computer merely visits a malicious web page. It is likely to be widely exploited soon.

Windows XP Service Pack 1, released Monday by Microsoft, fixes this problem. However, the entire Service Pack 1 release is 140 MB, which would take hours to download on a dial-up modem. In fact, it took me one hour via broadband due to constraints at Microsoft?s end.

Fortunately, if you've been updating your XP OS on a regular basis, Microsoft offers an "express pack" that you can use. Even so, I've heard the minimum size for an "express update" is at least 30 MB, which is still a hefty download unless you have a broadband connection such as DSL or Cable.

The security hole in questions involves "Windows XP Help." The hole lets anyone put a link on a website that can wipe out certain hard-drive directories.

If, for whatever reason, you don't or can't download the service pack, there is an alternative. There's a file you can rename or delete to fix the security hole. Here are the steps:

1. Perform a search for a file on your C drive called "uplddrvinfo.htm."
2. Once you've found the file, delete it or rename it (such as to uplddrvinfo.htm.old). Doing so will not hinder your ability to use Windows XP.

You may download Service Pack 1 at: http://www.microsoft.com/WindowsXP/pro/downloads/servicepacks/sp1/default.asp

You may also read about this at the Tech TV "Screen Savers" site at: http://www.techtv.com/screensavers/shownotes/story/0,24330,3398516,00.html

---

Reposted with thanks to AT member, jonnashville for posting this in Hot Deals.

We locked this topic at the top of several forums to alert our members about this critical update that was not yet posted on Microsoft's Windows Update page. It has now been up for several days. We hope everyone is now aware of it.

Please continue discussion of this topic in our Operating Systems forum.

Thank you,

AnandTech Moderator

 

[CraigRT]

Man, is that ever a huge bug... gotta love WinXP..

 

[wyvrn]

This isn't a suprise. But at least the fix is easy.

 

[Harvey]

They could call that one BugZilla! :Q

Me --> Glad to be on Win98 SE with all updates.

Me --> Strongly considering learning more abou Linux.

 

[carrotunderscorecarrot]

thanks for the notice and the quick fix!

 

[wyvrn]

I have Mandrake cd's if you want them, just pm me. Personally I have to run Sun Solaris because of my clases, so I don't need nor want Mandrake anymore. Plus its really newbie friendly

Originally posted by: Harvey
They could call that one BugZilla! :Q

Me --> Glad to be on Win98 SE with all updates.

Me --> Strongly considering learning more abou Linux.

 

[Cyberian]

Originally posted by: Yield
Man, is that ever a huge bug... gotta love WinXP..

Doesn't M$ consider that a "feature"?

 

[olds]

Repost


Please don't kill me.

 

[Martin]

Hey mod, what's that URL?

I wish mandrake would hurry up and release 9.0, it should be quite nice.

 

[SSP]

Thanks!

 

[Nemesis77]

"Our products just aren't engineered for security."

Brian Valenti
Senior Vice President
Windows Development Team
Microsoft

'nuff said

 

[Harvey]

Valentine, too, took the opportunity to point out the widespread bugs that have been discovered in competing operating products such as Linux and Unix.

"Every operating system out there is about equal in the number of vulnerabilities reported," he said. "We all suck."

:disgust:

 

[cmdavid]

found a fast server for win2k patch... just downloaded a 7MB file in 40 seconds...
edit:whoops.. wrong thread on accident... this belongs in the other stickied thread but ill just leave it here also...

 

[Nemesis77]

Originally posted by: Harvey

Valentine, too, took the opportunity to point out the widespread bugs that have been discovered in competing operating products such as Linux and Unix.

"Every operating system out there is about equal in the number of vulnerabilities reported," he said. "We all suck."

:disgust:

HAH! That Valenti sure is a funny guy !