Windows Security Bulletin

SECURITY ALERT:
If you use Windows XP your system is vulnerable to a very simple attack that could let any hacker delete all the files in any directory by embedding a short invisible command in a web page or HTML email. I’ve demonstrated the attack on The Screen Savers and it’s incredibly easy to implement and totally destructive. It’s one of the most serious security flaws I’ve ever seen.

Microsoft has remained completely silent on this, even though they’ve apparently known about it for 11 weeks. The potential for harm is so great that they and the entire computer security establishment have kept the hole a secret. It’s called “security through obscurity” and, in my opinion, it’s the worst possible way to protect your system.

The short term fix is to delete or rename a file on your system named c:windowsPCHEALTHHELPCTRSystemDFSuplddrvinfo.htm. A better long term solution is to install the Windows XP Service Pack which Microsoft made available yesterday. It’s a fairly big download, over 50 megs on my fully updated system, but it presumably fixes other security flaws we don’t know about.

Steve Gibson has written about this flaw and it was the subject of a security bulletin on Bugtraq.

This is one more reason I’m no longer recommending Windows machines to my family and friends. Microsoft’s security model is so severely flawed that I believe it’s impossible for them to make a secure version of the OS. Use Mac OS X instead. It’s not perfect, either, but it’s much less susceptible to this sort of thing.

And if you use XP, please run Windows Update and install SP-1 as soon as possible. Now that the word’s out I expect to see this exploit all over the place.

81 Replies to “Windows Security Bulletin”

  1. And to think all my friends said I was just being one of those paranoid MS bashers for not upgrading from Win98.

  2. Thanks for the heads up Leo! Although I’m a Win2K user myself, I’ve spread the word to friends who have XP. This is a huge screw up by Microsoft, and since the fix can be so simple, I just cant understand why they wouldnt send out a basic fix before SP-1. I guess its all perception in the marketplace and such… blech! (Look forward to seeing you in Maryland!)

  3. hi leo
    i think there is a slight error.it is “uplddrvinfo.htm” instead of “uplddrvrinfo.htm”
    just wanted to make sure everyone used the right letters.
    i went to the tss shownotes to make sure about that.
    anyways nice work.
    ken

  4. Thanks, Ken. I fixed the file name, providing the full path name to make it easier to find.
    Apparently this is functionality intended to let Microsoft support upload drivers to your system. There may be other uglies built into the Help Center functionality. That’s why the upgrade to SP-1 is the best thing to do. What scares me is that Windows is apparently riddled with holes like this.
    We agonized a long time whether to reveal the filename, since it’s enough information for a hacker to figure out the exploit, but I decided to go public because it’s such a quick and simple fix and the Service Pack is so huge. Furthermore, we don’t know if SP-1 causes problems as previous service packs have. Since Bugtraq and other security organizations have published the exploit, I decided it was worth taking the chance and getting the word out there in the widest possible way.

  5. Thanks for the 4+ hour download Microsoft… Thanks for the heads up leo!!!
    Love the show keep up the great work. What ever happened to the National Radio show with with Premiere Radio Network?
    Sorry I sent this twice forgot my email address

  6. Leo,
    I agree that MS is lax on security issues but is that really reason enough to stop using/reccomending WinXP altogether? There is a rather large demographic of people who are unable to afford even the least expensive Mac,and who are first-time buyers, that can only get into the computer/online world through WinXP, becasue of its ease of use. I must admit to a bit of bias becasue I own my own PC sales business, but I’m jusing that as the frame of reference here. I always update my PCs from Windows Update before they are sold, and encourage my customers to do so at least monthly after purchase. I encourage PC vendors who read this to do the same. Use inexpensive network cards and your own broadband connection to do this, it will make your broadband tax deductible if it is not already, and will increase sellability and value in your PCs.

  7. Great to see you back on the set, I enjoy the the way that you can be candid, knowledgeable about a matter at hand.
    While you were gone, many times I thought I had tuned into “Entertainment Tonight”. Yet, they made it worse by being “Mac” bashers. There were times, episodes I could mot bare to watch the staffs budding stardom. Personally, I believe if one keeps the show interesting, thought provoking the ratings will follow.
    Thank you, keep it fun, Ken

  8. Phew, thanks Leo. I can’t watch TSS as much now because I’m in college. Your blog yahoo mailing list really helped out! I’ve also got some of my friends now uploading the Service Pack. Leave it to Microsoft to keep something under their hat until the last second. The thing is what if they know about something, don’t say anything, and some hacker discovers it and exploits it before they “Announce” it? Oh well, eventually I suppose it’ll get them where it hurts.
    Thanks again Leo! Your a life-saver!

  9. Thanks Leo for giving us all the info we needed to fix this problem immediately. I just recently got broadband so my 56K days are still fresh in my mind. I cant imagine trying to download 140mb. Plus installing the service pack the first day is not such a good idea either. I want to prasie you for your courage to break this story, keep up the good work. Now we just need to work out a way to clone you so you can spend all the time you want with your family and still help all us users out there. I still hate MAC’s though and no im not just saying that I use one every day at work. Though its O.S. 9, I would like to try O.S. X.

  10. To write off an entire operating system, controlling more than 90% of the current market, does not seem to be a viable option. I have thousands of dollars of equipment and software, plus untold hours of study invested in my 5 PCs. To chuck it all and invest in an entirely new system is not a vialble option. If Microsoft did not operate in the current quarter by quarter business environment it might be possible to sit on products and test them until every flaw was discovered; it would also halt inovation, progress and profits. An item as complex as a computer operating system; Windows XP has 45 million lines of code, will contain flaws. Surely If Apple had the customer base that Microsoft has, with the attending hackers and crackers, all the arguements offered over the years denegrating Microsoft’s products would probably apply to Apple in equal measure. Is it a question of poorly designed products, or overwhelming market share that includes individuals intent on exploiting the product?

  11. Thanks Leo for the Patch for we who are on dial Up & can’t get that 48MB Download! 🙂
    Applied it after not being able to download only 22MB.
    Too Bad MS doesn’t offer a CD for us. We’d certainly be willing to pay for the shipping etc….. 🙁

  12. well……the email apparently didn’t show up on my last post so here it
    is, visser003@mail.com please dont email me all kinds cuse that will mess
    up my beautifully made computer(made by me 🙂 )

  13. Thank you for the fix, and for taking the risk. A lot of people would be left vulnerable if it weren’t for the Screen Savers and TechTV.

  14. Every day I find another reason to be glad I have a Mac … mostly because I am a support technician at work!

  15. Hello
    I need to download a disk for my mother in law — I am assuming that I can just download the 32Bit XP to a CD, run it on my machine and mail it to her (she has a dial up connection which only runs at 24K…. (I also assume that the Home and XP Pro versions are BOTH 32 bit OS’s).
    Any other considerations I should make? Should I burn the exe file to the CD? I will have to see what else the web site says, but just looking for some help here.
    Thanks
    Chris

  16. I’m 100% sure that the only reason Microsoft did nothing about this before is so that people with pirated copies of XP well get screwed. Think about it… Pirated copies are locked out of SP1 and will not be able to get any updates in the future due to CD-Key cross-checking. For the average pirater, that might not have seemed like a big problem, until now. If you don’t want your stuff deleted, you have no choice but to upgrade to SP1, and if you have a pirated copy, you CAN’T upgrade to SP1… They did it to screw with piraters… Bill Gates is relaxing in his office laughing his @$$ off, watching the sales of XP suddenly surge.

  17. There’s a very simple, EASY way to obtain and then change the product key for Windows XP so that you can install SP1. (and no, I won’t discuss it here) Any hacker worth his/her salt already knows about and could care less what Gates is doing.
    P.S. Leo you are the best. I’m lucky enough to have some extra cash burning a hole in my pocket this week. I’ve been teetering on the edge of switching for a few months now and your email was enough to send me over the edge. Next week there will be a new G4 dual 867 mhz machine sitting on my desk. Thanks Leo!
    dh

  18. I think I’m going to stick with Windows 98 (first edition) until my extended warranty on my Compaq Presario 5152 (purchased in January 1999) expires in January 2004 and the computer konks out…

  19. I’m shure that every one agree’s that this is a pretty severe flaw. My question is this : why is it that all of the major security and bug fix web sites have decided to sweep this one under the rug? Even the major search engines have blocked reference to the problem. If it were not for Bugtraq, you and Steve Gibson, I dont think any mention of this would have been made until many of Microsoft’s XP user’s really got hosed ( not that we ignore regular OS updates…..). I was under the assumption that the ‘net was for sharing and exchanging ideas and info, right/wrong/ or otherwise. Seem’s that many of the people in the know are taking a “government” like stance on things these days : What you do not know is for your own protection. Nuts….

  20. I agree completely with dhdave on that one.
    People are always going to hack, and always going to crack, and they will always succeed. The only thing all of this does is make things slightly more difficult. (And besides, if a hacker is like most intelligent people, something new to try and stop them is seen only as a challenge, not a deterrent).
    If someone can get their hands on a volume-licensed copy of XP, then all activation and lockout from updates is disabled, due to the unbelievable amount of problems it would cause a large business with a large number of PCs (we have 12,000 where I work).
    So you don’t even have to crack it anymore, just find someone with a volume-licenced copy and a working CD-Key and that’s it.

  21. Thanks for the heads up, Leo! I am on Broadband and downloaded SP 1 and archived my present system for backup, one of the options it gave. It installed without any problems and is running flawlessly. I love Windows XP and am not about to jump on the Mac bandwagon because of some security flaws. While I appreciate your taking this so seriously and alerting your viewers, I think you may be overreacting ‘just a tad’ by writing off Microsoft…
    For those who say that this is Bill Gates way to head off the hackers tha twon’t be able to upgrade to SP1, well, the way around that is posted all over the internet. Those with pirated copies of XP are just getting new registration numbers and going on about their lives.

  22. Thanks Leo for the heads up!
    I noticed that SP-1 combines many of the patches that have already been on Windows Update before. One of these patches, Q317277, I cannot download as it causes my Sony VAIO laptop to freeze. Is it possible, after downloading SP-1 to uninstall the one patch that gives me trouble?

  23. Thanks for the info Leo, it’s pretty sad when we need to rely on you’re show/net articles(both are a great source of info ,btw) for patching up what could be a huge security flaw in XP that we all personally read/seen BEFORE windows updater noticed the new update pack. By no means am i knocking you’re show/web site(which i enjoy greatly) i’m just saying Microsoft should have been the first to deliver the update/patch/security news.
    Now i have cable..so it’s not such a big deal(the downloads, that is) but with each addictional windows release is another bunch of bugs which need patching up(29 times XP needed patching on my pc since August), however with XP’s holes in security, it’s much more of a constant worry of security then an inconvience..as it was with say 95/98..ect.
    Now, i could never go with the Mac, even as i did start out using Amiga’s OS in the mid 80’s…which i loved, and it never crashed once. (The Mac’s original OS source code was very simular to Amiga OS.)..HOWEVER
    for software reasons and gaming i could never switch to a Mac.
    Anyway..ranting off,
    My question to you guys is this:
    Should both the SP1 upgrade pack AND deleting the –>”uplddrvinfo.htm” file both necessary?
    Or is the SP1 updrade pack enough?
    Thanks for the info once again and keep up the superb work, guys.
    Philip O.

  24. Look; the only reason Mac OS X seems more secure; is that no one wants to fins security holes in it. Only 3% of the computer using populace use Mac OS. Telling your friends to buy macs is a grave disservice; they are unupgradeable and expensive.
    They also tell lies to sell machines:
    http://www.apple.com/la/hardware/en/powermac/graphics.html
    Here they say “And the Power Mac G4 comes standard with a gigabit (10/100/1000BASE-T) Ethernet connector so you can terrorize PC users online.”
    Anyone with a modicum of knowledge falls over laughing. Mac has been instigating this fight for years.. its no wonder why dell and compaq never compare themselves to mac..?
    CE

  25. What’s this I hear that Microsoft added a new “phrase” to their End User License Agreement? Specifically, I mean, this one:
    “You agree that in order to protect the integrity of content and software protected by digital rights management (‘Secure Content’), Microsoft may provide security related updates to the OS Components that will be automatically downloaded onto your computer. These security related updates may disable your ability to copy and/or play Secure Content and use other software on your computer. If we provide such a security update, we will use reasonable efforts to post notices on a web site explaining the update.”
    What exactly does that mean? Can Microsoft “spy” around on my machine and look for illegal items?
    I’m not a lawyer; please explain this in layman’s terms on a future show.
    Thanks.

  26. I am already “skittish” about Microsoft’s latest Beta. I am a little hesitant to download the SP1 and have it hose my system or change my program functionality. I agree we need the security fixes but I am tired of patches and feature upgrades that hurt me. I have to be honest though. I got Windows XP the day it came out. It has NEVER crashed. Not once. Never froze up. Very rarely a program will crash but the desktop “moves on.” I use the hibernate feature all the time. I can’t remember the last time I had to reboot. Usually only when prompted after installing a new progranm that requires it.
    I was brave enough to download the Windows Media Player 9 Beta for my windows XP Pro desktop machine. It, as I had worried, totally broke my Personal Video Recorder! doh!
    Snapstream, which is an awesome little program that turns your PC into a TiVO like device, stopped functioning. ( http://www.snapstream.com ) I like being able to record tv programs such as “The Screensavers” (wink wink*) and then transfer them to my laptop to view anywhere or watch them across the network (very cool.)
    The program uses windows media encoder 8 and the WMP player broke it. Strange because encoder 9, (included in the player software…like we have a choice here… you Microsoft “nimnuls!”), has the old codecs in it. I am sure it’s a Digital rights management issue or another bug. Just coincidence that Microsoft is coming out with a “Media PC” with PVR functionality, (very limited), at the same tine. I’m sure it is :-P. I am glad the newest version of Snapstream is due out soon, (me hopes, they say), ditches the Windows encoder.
    I had to do a “restore image” of a time before I installed the Beta of WMP to fix the problem. Of course Microsoft made it impossible to fully remove WMP 9 with an uninstall. Took about 30 minutes of my precious time that I could have been sitting here watching “sponge Bob” or some-such quality television programming. (Thanks Bill! butthead…)
    BTW I went through Windows Update and I noticed that when it scans my computer and picks updates for me to install I cannot pick any update other than SP1… It doesn’t even show them. What’s up? Is Windows update “broke” if you don’t have the Service Pack 1 now? buttheads… My guess is they do that so people who have somehow hacked a copied version to work will find they can’t upgrade. No luck for people like me who want a security fix withoput this major patch that can break their software.
    Maybe the Update site was just hosed because of traffic. I’ll check later. If not I’ll have to go to the manual download option if I decide to get it. I’m sure it’ll break my PVR program again; if not other items.
    *(Note to lawyers everywhere… When I record TV programs off of TechTV I always, always, always, watch all the commercials… sometimes twice! …just to be extra thorough! …and I always delete it immediately after I watch it… har har har yada yada yada)

  27. The SP1 actually fixed my internet connection, I have cable and had really bad latency problems that noone could fix, my speeds are super fast ever since i restarted my comp after install the pack, that would have to be a big coincidince.

  28. Im glad that I didnt buy XP yet, I think I will sit with Win ME for
    while. After all look at all the service packs that NT has a had lol

  29. Leo, why not post a link that kills the file? Then you a) learn the danger and b) are protected automaitcally.
    Not sure if I can post a link on your blog and you might just delete it anyway (hey, I might not blame ya!) but, here goes:
    Link that shows the flaw and fixes the problem
    Note: The code is there on the page. Whether it shows up or not is up to Leo.
    Ahh, the beautiful irony of it all….

  30. By putting up a web page to use the glitch to fix the glitch, wouldnt it make it even easier for someone who wanted to do evil to just cut and paste the code, changing the name of the file altered to my music or whatever and then posting it somewhere else?
    Rosie, I’m sorry about your computer! Thats insane that you had to buy the OS twice!
    Me, I’m sticking with Win2K for awhile longer, though I was planning on upgrading I’ll wait awhile for some of the larger kinks to get worked out.

  31. Hey Leo,
    Thanks for the info, we renamed that file right away and as soon as we get a cable modem we’re downloading the SP. I enjoy watching the show and I think it’s way cool. I agree with thay guy before however, why not just create a link that deletes that file? and then just uhh put a message on there..”Do not click unless you know…….blah blah blah” But however you wanna work it Leo.

  32. Thanks, Leo!
    I applied SP1 and did a search for c:windowsPCHEALTHHELPCTRSystemDFSuplddrvinfo.htm… Still there! Well, it’s gone now.
    Thanks again,
    Steve

  33. SP1 does NOT delete the uplddrvinfo.htm file – it simply patches the whole that makes that file respond to certain requests. If you instaleld SP1 correctly, you still should have the file – it just won’t let the code delete folders.

  34. To elaborate on my previous post. It appears there are A LOT people with XP and ME that are miffed about the windows media player 9 Beta. As noted on the story written today at http://news.com.com/2100-1001-957704.html?tag=dd.ne.dht.nl-sty.0
    No big deal for m,e doing a system restore after 2 days..but imagine 2 weeks don the line and you have a major problem with it. Imagine also that since that time you’ve installed a lot of programs or maybe some hardware. Oops! If you want to get rid of wmp9 you lose it all too.
    However, SP1 is completely removeable easily if you choose the archive option so I’ll give it a shot. Now I just need to download the thing over three freakin days…or better yet take my laptop to my mom’s house where there is broadband.
    I like how microsoft says that it intended that WMP would not be able to be uninstalled because it is so entwined in the operating system…and on the other side of their heads they say that SP1 can be easily removed if you choose the ‘archive option’ What a load Of “Hooey!”

  35. Thank you for the quick fix patch!!
    I am an amateur and it was very simple for someone to cause damaging effects.
    Leo and the ScreenSavers team are the Best!! Keep up the Great Work!!

  36. well, I don’t think not recommending windows
    to family and friends is such a good idea either.
    It is possible for $icrosoft to make a secure OS,
    they just choose not to, for monopolistic purposes.
    I mean, half of their employees consist of the most
    brillant 20 year olds fresh out of college. My sources
    tell me that Bill Gates selectively picks 20 yr old
    honor students from harvard and some of the other
    top colleges in the country, so I highly doubt
    microsoft can make a secure OS.. the problem is
    as with all multi million dollar industries nowadays,
    they care more about ‘money’ and making a profit
    then the well-being of their customers..
    I mean, I’m sure techTV works very similar..
    I’m sure TSS have different ideas then management have
    I am sure management have different ideas to boost
    ratings then what leo and patrick tend to agree with,
    but they have to obey cuz its their job..
    well, I am guessing the same holds true for microsoft.
    I am sure they have good programmers who can write
    such an OS, they just have bad management…
    ever since this virus came out, I have suspected that
    its some sorta microsoft ‘ploy’ to get software pirates
    to buy their product, I wouldn’t put it past bill
    at all..I’m sure the virus was even invented by them
    in the first place, purposely put there so customers
    would get all freaked out and go buy their product
    (which would explain why they didn’t want the fix
    other then SP1 released to the public)
    I mean, its kinda odvious isn’t it? SP1 is the only security fix
    that requires a valid serial #, that has been out for
    3 months but m$ has decided to just now make it available to
    everyone, I mean, doesn’t that seem kinda fishy?
    does to me anyway….and that was just my first thought
    when I heard about this…after reading the details
    about it I’m even more convinced it was a microsoft
    scam…

  37. I have had Win XP since about a month after it was on the market, sure I have had some problems, But I think in the long run, I have had less than I did with Win 95/98/ME. I always keep my system up to date, and have never had a security problem. I had a firewall, and a router, and keep my virus software up to date.
    I love Win XP, I could never go backwards or back to a Mac. What if Micro soft closed it’s door next week, where would we be??????

  38. Leo,boy do you have guts. Telling your audience to give up PC’s run by Microsoft Oprating systems is brave and blunt. I totally agree with you. Microsoft Operating systems are a joke. It almost seem as if the flaws were placed in the systems by design. Giving up the PC run by a Microsoft Operating system is a good idea for the average computer user but not for somone who wants to keep up with the computing industry. One must know the ‘ins and outs’ of Microsoft Operating systems if they are in the industry because it is the most widely used operating system in this country and many other countries. Lets hope Apple lowers its prices so more people can afford a Mac. In the meantime computer users that know something about computers in general and software in particular could and should start using BSD Unix or a flavor of Linux.

  39. to the guy that said that Gates is laughing at all the piraters and causing sales to rise:
    I had to buy another copy of XP for my Vaio laptop because of the service pack, even though I had a legit pre-installed version from Sony.
    Why? Because the service pack crashed my computer when installing it – it would no longer boot – and I couldn’t save my data and programs with my stuff from Sony. Grrr.
    So.. I went and bought a Windows XP upgrade to save my stuff. Yeah, it sucked, but at least I got an academic discount. I don’t appreciate Microsoft nuking my computer, though, to “fix it.” Although it DID keep hackers from deleting all the stuff on my computer, I suppose.. ^^;

  40. Thanks Leo for the life saving tip!
    Chris Evans : huh? Your arguments are weak and out of touch with reality, my friend. Mac OS X is based on FreeBSD, which is UNIX. That’s used by a whole lot more people than you might think, and hackers do try their hand at it. Keep in mind that XP’s market share isn’t 97% either; most people just don’t upgrade their PCs until they just break, so XP’s market share will stay under 50% for a few years. Where’s the “standard” in that?
    Those few security holes that do exist in OS X are fixed quickly by Apple and distributed in the form of small, manageable updates. No 50 MB download or proof of purchase required, thank you very much!
    The “lie” you refer to isn’t one. Apple Pro machines all come with Gigabit Ethernet built-in, which is useful to get online at a decent speed. Sure, the connection won’t be faster than any 10 Base-T or 100 base-T network card for online gaming or web surfing, but it WILL allow you to “terrorize PC users” that play online games (if you’re a better gamer than they are, of course). That’s not a lie, that’s simple marketing humor.
    Why are you calling Apple “Mac”? “Mac” isn’t a person or an entity (it’s a computer platform nickname), so how could it ever investigate something? What would it “investigate”?
    Look on any MS web page to find such “lies”. For example :
    http://www.microsoft.com/windowsxp/pro/default.asp
    How can they call XP a secure OS? New flaws are found every day, and XP is still wide open to viruses.
    And about that comparison thing : GM doesn’t compare itself to Mercedes-Benz either. That doesn’t mean that GM makes better cars than M-B.

  41. It should be noted that those with Nvidia GeForce video cards should make sure they have the latest drivers (7-2002) BEFORE downloading the SP-1. Otherwise Windows XP will crash and go into an endless loop re-boot. The only solution to the crash will be to download the 6-floppy set of XP boot disks and then re-install XP.

Comments are closed.