Here we go again ~~ Huge & Extremely Serious Security Hole in Windows XP: Please read & update immediately!

[AnandTech Moderator]

Monday night, Tech TV announced an extremely serious security flaw with ALL Windows XP installations. This does not affect other Windows operating systems, such as Windows 98, Me, NT or 2000. Leo Laporte of The Screen Savers demonstrated how this could wipe out entire directories.

Microsoft has reportedly known about this security hole for 11 weeks. Thankfully, no nefarious characters have taken advantage of it yet (but they no doubt will, and soon, now that it?s been announced).

Simply opening a web site or email (or even using a chat room) may wipe out entire directories on any Windows XP computer (such as your Documents folder).

From the Gibson Research site:

This vulnerability allows the files contained in any specified directory on your system to be deleted if you click on a specially formed URL. This URL could appear anywhere: sent in malicious eMail, in a chat room, in a newsgroup posting, on a malicious web page, or even executed when your computer merely visits a malicious web page. It is likely to be widely exploited soon.

Windows XP Service Pack 1, released Monday by Microsoft, fixes this problem. However, the entire Service Pack 1 release is 140 MB, which would take hours to download on a dial-up modem. In fact, it took me one hour via broadband due to constraints at Microsoft?s end.

Fortunately, if you've been updating your XP OS on a regular basis, Microsoft offers an "express pack" that you can use. Even so, I've heard the minimum size for an "express update" is at least 30 MB, which is still a hefty download unless you have a broadband connection such as DSL or Cable.

The security hole in questions involves "Windows XP Help." The hole lets anyone put a link on a website that can wipe out certain hard-drive directories.

If, for whatever reason, you don't or can't download the service pack, there is an alternative. There's a file you can rename or delete to fix the security hole. Here are the steps:

1. Perform a search for a file on your C drive called "uplddrvinfo.htm."
2. Once you've found the file, delete it or rename it (such as to uplddrvinfo.htm.old). Doing so will not hinder your ability to use Windows XP.

You may download Service Pack 1 at: http://www.microsoft.com/WindowsXP/pro/downloads/servicepacks/sp1/default.asp

You may also read about this at the Tech TV "Screen Savers" site at: http://www.techtv.com/screensavers/shownotes/story/0,24330,3398516,00.html

---

Reposted with thanks to AT member, jonnashville for posting this in Hot Deals.

We locked this topic at the top of several forums to alert our members about this critical update. It has now been up for several days. We hope everyone is now aware of it.

Please continue discussion of this topic in our Operating Systems forum.

Thank you,

AnandTech Moderator

 

[N8Magic]

:Q

Wow, this is a NASTY one.

Thanks for the heads up mod, and thanks for the post johhashville.

 

[Harvey]

That one is big enough to call it BugZilla!. :Q

 

[Shagga]

Very scary.... :Q

 

[jonnashville]

Actually, the name is JonNashville...

Please, everyone chip in so we can send the Mod a new keyboard with a working N key. 😉

By the way, there's a longer thread on this under Hot Deals...

---

Oops. Fixed in all forums. 😱

Embarrassed AnandTech Moderator

 

[JackBurton]

Lucky for me I grabbed SP1 about a week before it was officially released. 🙂

 

[Adul]

what else is new.

 

[Athlon4all]

Thanks🙂 I just installed SP1.

 

[DanFungus]

wow, that's an uber nasty one

 

[Macro2]

Can you please explain why when I reported this LAST NIGHT that the moderator LOCKED the THREAD as off topic?
I certainly hope you are not the same moderator...

http://forums.anandtech.com/message...eadid=868471&highlight_key=y&keyword1=serious

 

[Macro2]

Link

 

[SupermanCK]

OH NO.....better remember to do this when i get home tonight...

 

[Technonut]

I had XP SP1 installed, and still found the "uplddrvinfo.htm" file after running a search. 😕 I went ahead and deleted it. Is the SP1 "uplddrvinfo.htm." file a fixed version and supposed to be there or what? Anyone??.....

 

[Macro2]

well, you can test it...just don't put any critical files in harms way.

 

[MikeMike]

how big is sp1? cuz yeah anything over 8mb is to big for me to d/l it ould take forever! on ~26.4k dial-up

would anyone be nice enough and send me a cd with sp1 on it? pm me

edit: i guess i should read

well im going to delete this now if i can find it

 

[bfonnes]

Maybe Anand should create a new Forum Heading! Report Windows XP Security Flaws Here! 😀

bfonnes