Windows XP contains massive security hole

The Inquirer ^ | Wednesday 11 September 2002, 11:50 | Paul Hales

[HAL9000]

Windows XP contains massive security hole

Install the Service Pack and, shush, don't tell anyone...

MICROSOFT'S RUSH to get Windows XP SP1 out and about may have been motivated by a desire to hide a vulnerability afflicting the operating system (cough) that allows hackers to delete files from a computer accessing a tweaked web page.

According to this Spanish-language site, a Googled translation of which is here, "a defect in Windows XP allows that anyone can erase archives of our computer if click becomes on a connection maliciously constructed, as much when visiting a malignant Web site, like a receiving a message with format HTML". Sorry about the language, but you get the picture.

A reader writes a little more clearly that this vulnerability allows the files contained in any specified directory on your system to be deleted if you click on a specially-formed URL. He points to Gibson Research here, where they warn, "This URL could appear anywhere: sent in malicious eMail, in a chat room, in a newsgroup posting, on a malicious web page, or even executed when your computer merely visits a malicious web page. It is likely to be widely exploited soon."

This is a critical vulnerability and one Microsoft has done its best to keep secret, it seems.

Another reader tells us he saw a report on TechTV, the background to which they give here where they state that Microsoft has known about the flaw for some 11 weeks but kept the lid on it because it is so easy to exploit.

Microsoft urges Windows XP users to download the Service Pack and install it as quickly as possible. You can find that here . It's a large file, though, and CD versions are only available on the US and Canada at the moment, according to Microsoft.

The advice from various sources for users unable to install the Service Pack is to find and rename the affected file uplddrvinfo.htm. µ

[PatrickHenry]

Don't know if this is relevant, but here's a ping anyway.

Security is always relevant. I use XP. I guess I'll get the service pack. Been meaning to anyway, but didn't realize it was so critical.

[rdb3]

If you got the RPM from Nvidia, it's supposed to install itself where it needs to go.

Anyhoo, let's start from scratch. Log in as root (of course), then do a "cp [whatever].rpm /usr/local/src." Then do: "rpm -Uvh /usr/local/src/[whatever].rpm."

Try installing it from here.

[toupsie]

I know, I know. If only I had a Mac. Not only is the G4 fast enough to execute an infinite loop in under half a second, OS X has uptimes measured in eons. Not only does it never, ever crash, it has been scientifically proven to boost a user's IQ by 30%, cure cancer by the laying on of hands, increase bank accounts to billionaire levels, and attract more hot women than a light beer commercial.

Wow! Does using Windows have some sort of delusional effect? When did I say I use an Apple product to serve data? If you go back through my previous posts, you will see that I use GNU/Linux, xBSD, Tru64 and OS/400 for servers depending on the need and processor. Not Mac OS X or Mac OS X server. I use Mac OS X for desktop not serving. Why waste a beautiful GUI on a machine that runs headless?

Get a clue. There are more operating systems out there than Windows and Mac OS. You choose one, I choose many.

[TopQuark]

OK, I'll try one more time.

Provide a fast, consistent, stable interface for disk, graphics, and peripheral access. That's about it. Ok, provide a highway on which I can travel 150mi/hour, safely, with a lot of rest areas, cafes, beautiful nature around, and --- I almost forgot --- free of charge. THat's about it.

I don't want my OS to be an all-purpose life enhancement tool. The reason it is only a few hundred bucks is precisely because it is sold to a mass market. If MS were to develop a more specialized system tailored to your needs, it would be in the millions.

Microsoft has not delivered what I want in an OS because it would shut down the perpetual upgrade machine. No, it has not delivered on what you want because, as I am trying to tell you, what you want does not make any sense.

Take a course (or a textbook) on OS design and, while at that something basic on business management.

If you had to buy six cars in succession from the same vendor in seven years, would it speak well of the vendor's quality?? Yes, if the reason were quality. But it is not: it is a notoriously fast rate of progress in this area, starting with the speed (and other aspects) of the hardware.

[Billy_bob_bob]

Ooooh. Isync. I'm looking forward to that one as well. Will that work with my Handspring Visor?

[general_re]

Just cutting to the inevitable chase - for all those systems you use, you only ever seem to evangelize one of them. As for me and my choices, dual-booting Win2K and FreeBSD at home, along with working on AIX and Solaris at work is sufficient to qualify me as equally clueful, I think. Not that this will stop you from assuming you know everything there is to know about me, obviously.

[TopQuark]

Do you have to build one--or just pay for one--to be angry when it breaks? Of course not. The question, is at what or at whom? Naturally, you could blame the misfortune, the fact that things get old, etc. It isquite another, which is the case here, is to raise the accusatory finger at someone without a slightest reason.

You may have rightfully disliked my question, but thethrust of it was correct: before you curse MS (or another manufacturer), one has tohave at least a vague idea about the issues involved.

One could develop a notion that, after a century of building autos it's time for the price to be in the hundreds of dollars and, G-d darn it, the only reason we pay tens of thousands instead is because "they" just overcharge us. Pretty stupid, isn't it? Well, it is not more correct or more smart with regard to software: people that demonstrate the absence of basic understanding of software design and project management ridicule or accuse MS that is a conglomeration of the best talent on the planet.

[altair]

Do you know what happens when you execute "rm -rf /" as root? I've done it twice before reinstalling the system. Under System V/R2 it will delete a bunch of files and eventually starting printing "/bin/mkdir: not found". Under Linux it does this. (That message is encoded EUC/JP).

[dheretic]

how many operating systems have you written?

What does that have to do with anything? If someone like Linus Torvalds or Alan Cox criticizes Windows are you going to tell him to STFU? Yeah, actually you probably would.

[Paulus Invictus]

Gosh, we don't have incessant Microsoft/PC problems with our faithful iMAC and Apple operating system (9.2.2).

Does one have to experience such horrible problems as reported in this post things to qualify as a eternally-frustrated computer nerd? Hope not! We'll just coast along, error and virus free. Ho Hum...

[AaronAnderson]

Wanna be Penguified? Just holla!

Bring on board!!!!

[gcraig]

Do you know what happens when you execute "rm -rf /" as root?Shouldn't it be #rm -Rf? Capital R for recursive force? Just checking... I've never run that command, but it looks like fun :-)

[rdb3]

Done deal.

[TechJunkYard]

Shouldn't it be #rm -Rf? Capital R for recursive force?

The GNU version packaged with RedHat 7.3 takes either upper or lower case.

[altair]

The rm in fileutils will take -rf, -Rf, and --recursive --force, but traditional rm takes only -rf (lowercase only). rm -rf / as root is a fun command because it's not very often that you get a chance to do it.

[AaronAnderson]

Are you having issues with installing the RPM's or configurating the xserver?

from the nvidia site: (make sure you downloaded the right RPMs!)

for new installs $ rpm -ivh NVIDIA_kernel.i386.rpm
$ rpm -ivh NVIDIA_GLX.i386.rpm

for updates:

$ rpm -Uvh NVIDIA_kernel.i386.rpm
$ rpm -e NVIDIA_GLX
$ rpm -ivh NVIDIA_GLX.i386.rpm

and then configure the /etc/X11/XF86Config-4

replace the line:
Driver "nv" (or Driver "vesa")
with
Driver "nvidia"
In the Module section, make sure you have:
Load "glx"

You should also remove the following lines:
Load "dri"
Load "GLcore"

if they exist.

edit the Screen section and add your res at the begining of the list of modes

[Richard Kimball]

Both Win2000 and XP are much more stable than Win/me in my experience

Rosie O'Donnel is more stable than Windows ME.

[toupsie]

you only ever seem to evangelize one of them

I always mention GNU/Linux when people ask for Windows alternatives. Go back and look where I link. It would be more beneficial than your on-the-spot, pop psychology. Its all UNIX to me.

[general_re]

I always mention GNU/Linux when people ask for Windows alternatives. Go back and look where I link. It would be more beneficial than your on-the-spot, pop psychology. Its all UNIX to me.

Spare me. I'm getting lectures in "the right tool for the right job" and closed-mindedness from someone who absolutely refuses to recognize that, every once in a while, Windows is the best tool for a given job. Any alternative that lets you avoid MS is preferred, no matter how execrable it is. Please. Who's the closed-minded one here, really?