• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

Huge & Extremely Serious Security Hole in Windows XP: Please read & update immediately!

J

jonnashville

Senior member
Monday night, Tech TV announced an extremely serious security flaw with ALL Windows XP installations. This does not affect other Windows operating systems, such as Windows 98, Me, NT or 2000. Leo Laporte of The Screen Savers demonstrated how this could wipe out entire directories.

Microsoft has reportedly known about this security hole for 11 weeks. Thankfully, no nefarious characters have taken advantage of it yet (but they no doubt will, and soon, now that it?s been announced).

Simply opening a web site or email (or even using a chat room) may wipe out entire directories on any Windows XP computer (such as your Documents folder).

From the Gibson Research site:
This vulnerability allows the files contained in any specified directory on your system to be deleted if you click on a specially formed URL. This URL could appear anywhere: sent in malicious eMail, in a chat room, in a newsgroup posting, on a malicious web page, or even executed when your computer merely visits a malicious web page. It is likely to be widely exploited soon.
Click to expand...

Windows XP Service Pack 1, released Monday by Microsoft, fixes this problem. However, the entire Service Pack 1 release is 140 MB, which would take hours to download on a dial-up modem. In fact, it took me one hour via broadband due to constraints at Microsoft?s end.

Fortunately, if you've been updating your XP OS on a regular basis, Microsoft offers an "express pack" that you can use. Even so, I've heard the minimum size for an "express update" is at least 30 MB, which is still a hefty download unless you have a broadband connection such as DSL or Cable.

The security hole in questions involves "Windows XP Help." The hole lets anyone put a link on a website that can wipe out certain hard-drive directories.

If, for whatever reason, you don't or can't download the service pack, there is an alternative. There's a file you can rename or delete to fix the security hole. Here are the steps:

1. Perform a search for a file on your C drive called "uplddrvinfo.htm."
2. Once you've found the file, delete it or rename it (such as to uplddrvinfo.htm.old). Doing so will not hinder your ability to use Windows XP.

You may download Service Pack 1 at: http://www.microsoft.com/WindowsXP/pro/downloads/servicepacks/sp1/default.asp

You may also read about this at the Tech TV "Screen Savers" site at: http://www.techtv.com/screensavers/shownotes/story/0,24330,3398516,00.html

---

We locked this topic at the top of several forums to alert our members about this critical update. It has now been up for several days. We hope everyone is now aware of it.

Please continue discussion of this topic in our Operating Systems forum.

Thank you,

AnandTech Moderator
 
I'm not sure where you found out about this, but are you sure it isn't a hoax? I just went to the TechTV link you provided and there is nothing about this. (Yeah, there is a link about WinXP SP1, but that is normal).

D.C.
 
but are you sure it isn't a hoax?
Click to expand...

It's no hoax. I saw it last night.
Screensavers 9/9/02 show notes

Boot Camp tip
As mentioned earlier in the show, Microsoft released a service pack for Windows XP. It fixes a serious security hole that Microsoft has known about for more than 11 weeks.


The security hole involves Windows XP help. The hole lets anyone put a link on a website that can wipe out certain hard-drive directories.


If, for whatever reason, you don't or can't download the service pack, there is an alternative. There's a file you can rename or delete to fix the security hole. Here are the steps:

Perform a search for a file on your C drive called "uplddrvinfo.htm."
Once you've found the file, delete it or rename it. Doing so will not hinder your ability to use Windows XP.

For more information about the security hole, visit Gibson Research.
Click to expand...
 
I saw it last night, as well. They even demonstrated it.

However... When I do a search for that file, I come up with nothing.

*shrugs*
 
Make sure you archive your old files when installing... Some valid Win XP serial numbers are being rejected by the updater!! If you archive, you can uninstall the Service Pack to restore your system (then do the cheap and dirty file-change to fix the hole).
 
Thank you jonnashville for this post.

BTW if anyone's using a blacklisted Windows CD Key, (keys that start with F or D are thought to be blacklisted), will deactivate Windows XP on their computer by installing Windows XP Service Pack 1. So, heads up, make sure you check your CD Key before installing Service Pack 1, a-right?
 
jonnashville,
Make sure you archive your old files when installing
Click to expand...
Is this reference a restore point as per the System Restore utility under the XP Help & Restore area?
Or do you mean a full back-up of the system drive?

TIA.
🙂
 
I beleive the SP1 installation prompts you to archive files, if you wish to do so.
 
I just ordered five Dell computers over the weekend for a friend. I sure hope they come with SP1 installed. Is there anyplace else where we can get the network version of the service pack? The MS site is incredibly slow today.:frown:
 
When running the installer, it will ask you if you want to archive your old installation... say Yes, even though it warns you it will use a lot of hard drive space.

So, if following the upgrade, you get a message saying your S/N doesn't work, you can simply uninstall the service pack.
 
after thinking about it, if you download the SP from anywhere other than microsuck you are pretty much taking another risk and possibly opening an even bigger hole although this might be the biggest whole ever.

think about it, a url can delete files and directories?!?
 
Regarding downloading it from somewhere else, when SP1 first came out, people were saying xpsp1.exe 133MB download was exactly 140,440,152 bytes.
 
My GOSH!! This just happened to me because I didn't act quick enough! I reinstalled Windows and 5 minutes later they got me again! This is a HUGE deal. Seriously, is there really a need to make a big announcement and use words like Huge and Exteremely Serious every time a bug is found in windows? How many here have ever personally gotten bit in the butt by a security hole? I bet less than 1%. I thank you for bringing this to everyone's attention because security is important, but you act like everyone is gonna get hit unless they update immediatly. Please take note of this and do whatever you want in the future. I'm just trying to help.
 
Regarding downloading it from somewhere else, when SP1 first came out, people were saying xpsp1.exe 133MB download was exactly 140,440,152 bytes.
 
i got norton internet security firewall running at all times.....is this necessary cause im running on 56k and it could take a year to download this
 
jonnashville & others,

If the system has been updated on a regular basis via M$ being allowed to do the automatic updates,
doesn't the "Change or Remove Programs" area of the Control Panel list most, if not all of the SP1 current updates?

There are over a dozen of these "Windows XP Hotfixes" listed as SP1.
Since everyting on the network is behind a Router & Bridge and allowed Internet access, why not allow Microsoft to keep the system up-to-date? Or does SP1 supercede this?🙂

PS Thanks for the heads-up RE: The Archive?
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top