Huge & Extremely Serious Security Hole in Windows XP: Please read & update immediately!

[brad2575]

Yea I saw this too on Screensavers and it is a HUGE issue. This issues is a part of windows help system and the flaw a hacker can launch your help system in XP and delete any files in any folder they want to. If you dont want to/cant or as temporary fix you can change the file name "uplddrvinfo.htm" to anything else, at least till you can run SP1.

I have heard from many different places that if you are running an illigal copy (of cource no one ever does that with microsoft products ) but if you have an illigal copy then the SP will trash your system.

The SP is supposed to have a lot of new features and enhancements so even with out the security prob, I would think about installnig it just for the new features and enhancements, plus the many fixes that it does to WIN XP I am sure.

I got win XP from the microsoft deal for $40, great price, but had issues with installing in on my machine, must have incompatible hardware somewhere, so till I upgrade I dont have to worry, but I have SP1 on order from Microsoft anyway

This is an even bigger issue now that it is out, because it was very hush hush before but now everyone knows about it and all the hackers now know about it and how to exploit this issue, so there will be many many more people trying to use this secruity hole, so even more important to fix it now then ever.

Hope everyone gets this fixed!!

 

[Idiotkiller]

Fixing a bug in XP by installing a bug called a "service pack".


Just watch out, kids. The EULA for the service pack requires that you let Microsoft install ANY updates they want to on your computer afterwards, with or WITHOUT your permission. check out www.theregister.co.uk for all the dirty.

 

[kashirat]

You can change your cd-key to a non-blacklisted one and then go about downloading xp just fine...

I found out how to do this over at http://www.tweaktown.com

not sure if they've been taken down or anything yet....

kash'

 

[chuckyH]

fine then its gone go to tweak town and search for your selves

 

[YucA]

i got a question. i installed the service pack about a week or two ago. When i go to control panel, it shows Windows XP Hotfix SP1. Does this mean i already have this? or do i need to download this new one again/?

 

[c627627]

If the service pack you installed was the final version and not beta, you got it. Service Pack 1 is a 133MB download (not a quick download patch), you know that, right? Also, I thought the beta Service Pack 1 had a "for testing purposes only" message displayed as well.

 

[yoandy]

the download took me an hour, but it's well worth it!
good lookin out, jonnashville!

 

[popeye44]

Microsoft takes every security leak or risk very seriously..


They seriously do not want you to find out how fubar'd their operating system is.

 

[kyutip]

I've just installed SP1 without a problem so far.
I even play russian roulette by choosing not to make archive files.
I dodge the bullet
Anyway, I haven't notice anything different yet.
Any good stuff about this SP1 that I should notice ? aside from fixing security issues ?
One thing though, my boot up time is longer :frown:

 

[knightc2]

 

[knightc2]

One thing though, my boot up time is longer

The initial reboot might be longer becuase of the updating. Did you reboot again after the initial one? I thought that it took a long time too, but was just the first reboot after the update. My second reboot seemed normal.

 

[kyutip]

I'll see if the next boot up will be shorter.
But maybe you are right since the HD light is busy longer than normal on boot up after installing SP1.

About the thing in the EULA that grant MS to install whatever they like, can we stop it by using firewall ?
I'm using Zone Alarm Pro 3.
Will ZA detect incoming/outgoing request and ask me if I grant internet connection or not ?
It usually do that, so I hope with ZA, I can still control what I want to install on my machine.

 

[mscubsfan]

thanks for all teh great information.....as I was downloading the sp1 program, I noticed a link for office XP updates as well....does anyone know if this update is useful or critical, and if it will mess up the computer or the office program if I'm using a crack code? thanks for all the great help!

 

[c627627]

Hahaha "crack code".
I heard that MS Office XP updates don't install on pirated versions, so there isn't even a choice.

 

[chuckyH]

WRONG!

 

[roncarter]

whoa.. good heads up

 

[furballz]

THANKKKKKSSS!!! to think that Ms is is selling their Palladium as a "secure" "cough" "bs" operating system... scaryyy...

For those who can't find the file, make sure to UNcheck :

Tools\Folder options\View\Hide protected operating system files
and check : Tools\Folder options\View\show hidden files

remember to put back after the changes or you could have similar problems

 

[AnandTech Moderator]

NOTICE ~~~ We will be taking names and offering LONG vacations to any member discussing crack codes or ways to use these updates with bootleg copies of the OS.

AnandTech Moderator

 

[wjsulliv]

Just to clarify... Any version of Office XP can be updated with any of the individual Office Updates or Office Service Packs.

However, the widely pirated version is a corporate version. Microsoft, in order to make the job of network administrators easier, disabled the ability to install updates one at a time on the fly (the way windows update does on your home pc). If you try it anyway you will get an error message indicating that the update can't be installed, please contact your network administrator.

Basically the corporate version is supposed to be installed on a workstation by the network administrator and not updated by the person using the workstation. Thus the update via the "Office Update" function doesn't is disabled.

Microsoft also built this into Windows XP Pro. Basically, you can set it up as a managed desktop. The user can't install anything and basically can't change anything. My company has just made this change and it is creating a lot of havoc in the office because the only way to get your specific software on the system (like a home grown app, or that extra screen saver that you made of your wife and kids) is to get it to the testing team 3 months prior to your migration, and then you might be lucky enough to have it approved.


The bottom line:
If you work at a company with a legal corporate install and are interested in getting the updates contact the network administrator.

 

[jonnashville]

Maybe one way to minimize a lot of future MS security holes and viruses is to dump all Microsoft products other than the browser... Delete Office, Explorer and Outlook and use OpenOffice or StarOffice, Opera and Eudora?? Just wondering after I watched Seve Gibson talk about Microsloth on The Screen Savers tonight.

Also... his advice is to not use your computer as Administrator in XP... Make yourself a special user account and use that.

 

[c627627]

Good point jonnashville, because I always wandered about this sentence I read somewhere about installing certain software: "Make sure you are logged in as Administrator and not just as a user with administrator privilages..." So I thought if I'm the only person using the computer, why wouldn't I naturally want to set it to automatically log me in as Administrator on every boot and not automatically log me in as a user with Administrative privilages.
Can anyone shed any light on what vulnerability we're exposing our systems to if we are logged in as Administrators vs. being logged in as users with Administrator privilages?

 

[Marm]

Is this even a supprise? Microsoft having a security flaw in their operating system. I would be more impressed if they did not have a security flaw in their operating system. Look at the track record of Microsoft. I would never connect up to the net without some sort of fire wall running.

 

[Devistater]

Originally posted by: thinlizzie
Just buy a router/firewall. 56k here, will take forever to download.

Sorry, not correct. Firewall/router normally will stop unrequested traffic sure. But what happens when you visit a webpage? You initiated that connection. There are plenty of vulnerabilities that can hit you from malicious HTML coding regardless of firewall. It can hit you just by viewing a bad site. If you don't want to d/l, you may want to consider ordering the CD.

Originally posted by: c627627
Yeah I know, ridefree is like that guy who posted a hot deal and it was like "and than you get your buddy who works at the place to give you an employee discount..."

... us kids can't get Windows XP Pro for $39 ridefree, it's $299 or a little less, more than any hardware component in our systems -- you know that.

Sure you can. MS has been having a deal now for months (is it still on?) where you get a FULL copy of win XP pro direct FROM microsoft for around $50 or whatever (including shipping). Since I've built a few computers and sold them to people, I registered for free on thier site as a reseller. This is the 2nd time they've done this. The first time was around the launch of win xp where you also got a lava lamp with a kit. That first time they gave you retail copies of winxp pro. This time they are giving you CD only. However, the CD doesn't have anything on it about being NFR (not for resale), so I'm not sure how that works.
Another deal they did a few months ago around launch was for a FREE copy of win xp pro (this one was marked NFR) if you worked at a list of eligable stores, like compusa, bestbuy, walmart, etc etc.

ALL of these deals were straight from MS, no employee discount. BTW, that employee discount? Its not going to give you much discount on MS software. At places like compUSA where the employee discount means you get the item at/near cost, discounts on MS stuff aren't that huge. The big discounts is stuff like from Belkin cables etc where the markup is like 800%, and some other hardware.

PLUS, you can sign up for one of those 4 hour MS seminars TS2 (which I found quite informative belive it or not). Its not just about buying MS stuff, I was surprised by how many cool tips and technical things they went over. They give out free copies of winXP pro to everyone who attends, and often some other stuff. When I went to the one here in Fresno, they also gave out a retail package Xbox, there were probably 75 or so people attending, pretty good odds of winning if you ask me (if anyone wants a link to the MS seminar page, lemme know)

So so far I have 2 free copies of winXP pro, 2 copies of winXP pro that cost me around $50 each. All full (i.e. not upgrade) versions.

Plus, I just started attending a Calstate University this year. The way I understand it, anyone going to any CalState University can get MS software like winXP pro and Office XP for about $20 a piece. Calstate signed some huge $8 million agreement with MS about 4 years ago, and they got MS to agree to them giving out the software to students for extremly cheap prices. I have some links about it if anyone wants to check it out. I'm gonna pick up a couple copies of each in the near future. And yes, I do plan to use all/almost all the copies. There's over half a dozen computers in my place.

Anyway, a little minor rant here. Sorry to ramble on. Hopefully some people can use some of this info.

 

[c627627]

Originally posted by: Devistater: Sure you can... Since I've built a few computers and sold them to people, I registered for free on thier site as a reseller... if you worked at a list of eligable stores... PLUS, you can sign up for one of those 4 hour MS seminars... plus, anyone going to any CalState University can get MS software... Anyway, a little minor rant here.

Devistater:
1. Many, if not most of us do not sell computers.
2. Many, if not most of us do not work at a "list of eligible stores".
3. Four hour Microsoft Seminar? ... Mods may get a little "how you say" perturbed if comments flew on this one.
4. Enrolling in CalState to get cheaper Windows XP... this is your solution? Devistater, buddy ... what are you doing to us?

 

[straubs]

Originally posted by: thinlizzie
Just buy a router/firewall. 56k here, will take forever to download.

You apparently don't understand what this exploit does.

You click a link.

That link tells your computer to delete X directory(s).

I guess your router filter URLs? LOL!