I heard of a big XP exploit that micro$oft knew about for about 11 weeks. Although I don’t know the how it works, apparently merely clicking on a link can wipe out whole directories. Supposedly you only need to d/l Service Pack 1 or search and delete the file: uplddrvinfo.htm in order to protect yourself from it. If anyone has any more information on this, that would be great. Is merely deleting the file get the job done or do you really need to get service pack 1 (or get a linux box 
)
This is not news for MS operating systems. IMHO it’s a direct consequence of not having open source. At any rate I wasn’t aware service pack 1 was out yet though I did see an article on MSNBC that said part of the pack will be to fulfill court ordered changes.
I have not used XP but unless supported by some credible evidence this has all the marks of a hoax. How can deleting an HTML file do anything of the sort?
It sound like the hoax that causeed many people to delete a semicritical file for windows that had to do with long file names.
Service pack one has more to do with software copying prevention then security of XP. It contains a function to repair any crack to XP activation, Prevent windows XP edition that has no activation required, that has leaked into file swapping networks, from accepting furture updates, Also had the DoJ’s mandate that will let the user select ‘non- MS middleware’ products such as Netscape instead of IE as the default.
This is not a Hoax. It has been on bug track lists ofr about 3 weeks now, and the TV show The Screensavers on TechTV did a demo of how it can wipe files on your computer. The fix is in SP1 or you can delete/rename the file as suggested above to stop this. For more information goto www.thescreensavers.com click on Mondays show links and scroll down to the boot camp section.
http://grc.com/default.htm says to install SP1 but does not mention deleting the HTM file as a solution. Can anyone show any credible support for this solution or explain to me how deleting an HTM file would do anything? The idea that MS would issue a 30 MB patch and say it does the same thing as deleting a single file HTM file sounds very difficult to swallow. Can anybody who has XP tell us what this uplddrvinfo.htm file contains?
Doing a search for uplddrvinfo.htm in google turned up nothing in english - this whole thing looks suspicious. Cnet says nothig of such a security flaw - here’s their review
From the above site
>> the service pack weighs in at a whopping 133MB
Yikes! Bloatware alert! Man, am I happy I did not switch to XP.
I am still curious as to what uplddrvinfo.htm contains and does. The name sounds like “upload driver info” but I am surprised the OS would use an HTML file for system use. I did a search and it seems the process is that the malicious link causes the OS to launch a program which is used when some driver cannot be found. The program sends to MS the hardware and driver configuration of the machine which is probably stored in that HTM file. If you terminate the program you are safe. I guess deliting that HTM file has the same effect.
I did a search for uplddrvinfo.htm but the only page I could find with a good explanation of this is in Spanish:
http://www.vsantivirus.com/xp-files-del.htm
A badly-translated Google page I saw suggested that it is involve in the XP ‘Help and Support Centre’ and has the ability to delete local files. Because it is not subject to normal browser security settings there is a risk that a malicious piece of HTML could achieve the same results:
(excuse the translation)
I forgot to say, the malicious link will start that program to send to MS your computer’s config and a screen pops up – if you terminate it from the task manager at this point you are safe. Deleting the HTM file has the same effect as the program cannot continue. If the program is allowed to continue then a list of files contained whose names are in the malicious link will be deleted.
It seems only system files would be vulnerable as their names and paths are standard. of maybe wildcards are valid. In any case, it seems the service patch closes a lot of other holes so that would be the way to go.
Here are the gory details in english (eh, sorry, techno-english). Only MS could come up with such a gaping security vulnerability in the “Help” capabilities.
If you read through it, notice how administrators can fix the problem by using the exploit themselves! Bloody great.
For those of you, like me, that find I must use Windows for various reasons, this should be a good example of why you should never load a MS operating system until AT LEAST the first service pack has come out.
-
-
- Um, no, you wait until the last service pack comes out. Win98 works pretty good these days; Win2K does well also I’m told…
~
- Um, no, you wait until the last service pack comes out. Win98 works pretty good these days; Win2K does well also I’m told…
-
In general, the service packs contain many fixes for various things – not just a single fix for a single bug – so their sizes are often going to be large. Personally, I don’t think I would care to trust a new Micro$oft OS until at least service pack 5 or 6.
Example: Win NT 4.0 had a major hole exploited through their IIS software that wasn’t patched until service pack 6. If you were running the IIS server on NT 4.0 service pack 5 or less, somebody running the exploit could gain Administrator access to your network! (I don’t have a link, but I believe that the bugtraq site was one of the places I was found information about it when I was researching a SysAdmin course a few years ago).
Personally, I won’t be trying out XP for a while.
In general, the service packs contain many fixes for various things – not just a single fix for a single bug – so their sizes are often going to be large. Personally, I don’t think I would care to trust a new Micro$oft OS until at least service pack 5 or 6.
Example: Win NT 4.0 had a major hole exploited through their IIS software that wasn’t patched until service pack 6. If you were running the IIS server on NT 4.0 service pack 5 or less, somebody running the exploit could gain Administrator access to your network! (I don’t have a link, but I believe that the bugtraq site was one of the places I was found information about it when I was researching it for a SysAdmin course a few years ago).
Personally, I won’t be trying out XP for a while.
Arggh! :::holding out hand to accept the slap on the wrist for the double post:::
Sorry… (stupid browser timeouts… :::grumble::: 
I’d just like to mention to those crying “bloat!” that 130MB isn’t very large for a service pack. Windows XP installed is over 1GB, and SP1 contains ALL fixes up to date combined in one file. I bet all windows update fixes to date probably total more than 100MB. A significant number of files are updated, and a lot of new functionality is added (most of it invisible, but it all requires code).
Windows XP Pro’s install packages total under 500MB, which is smaller than any OS I know of with a similar number of included applications. Most Linux distributions come on at least 2 CDs.
But after installing on a new HD WIN XP pro takes up about 1.5gb - much more then the linux versions I tried, much more then any other version of windows i’ve tried (3.1,3.11,95, 95rc2, 98, 98se, me, nt (not 2000)
Hardly a fair comparison, when you consider that your average Linux distro includes a full office suite, multiple xwindow systems, multiple web browsers, games, multiple graphics and multimedia packages, several IDE’s and utilities for every major programming language (except, of course, VB), web server, ftp server, Samba server, MS windows emulation software.
Plus the source code for most of the above.
I’ll agree that 130MB isn’t terribly huge for a service pack these days… for a server OS. For home users on dial-up, that has to be a nightmare. The OS itself, however, definitely qualifies as bloatware, for the simple fact that there is no way not to install many features that I would never want, especially in a business setting. (MSN messenger comes to mind.)