If you are using Windows XP, you may be interested in this information from GIBSON RESEARCH CORPORATION (http:www.grc.com). This information is about 6 weeks old as I post it, so maybe you already know about this, but if you don't you ought to.
Ever since its original release, Windows XP has contained a critical flaw that could be trivially exploited at any time by any malicious hacker. By causing any Windows XP system to process a specially-formed URL (web-style link), the XP system would obediently delete all or most of the files within any specified directory. (That's not good.)This flaw is considered critical because these malicious URLs could be delivered to any XP user through any means: via an eMail solicitation, a chat room, a newsgroup posting, a malicious web page, or even processed automatically without the user clicking anything by merely visiting a malicious web page. (That's bad.)
Microsoft was informed of this easily-demonstrated, quite significant, and easily fixed Windows XP defect back in June of 2002. But they chose not to proactively address the significant vulnerability created for their users until the September 9th, 2002, release of Windows XP's first service pack.
Since Windows XP Service Pack 1 repairs many more security, stability, and compatibility problems than just this critical exploit, XPdite should not be considered a replacement for the installation of the whole Service Pack 1. However, reports are that XPdite is much safer to use than Service Pack 1 (see Service Pack 1 caution below) so it may be wise to approach the installation of Service Pack 1 with some caution.
Since the immediate installation of the huge Service Pack 1 may not be feasible for all Windows XP users, or because its installation may cause serious side-effects, and since this vulnerability is so trivially exploited and creates a significant risk to all Windows XP users, I wrote this tiny, quickly and easily downloaded vulnerability patch utility which can be used to instantly patch and secure any Windows XP system against this vulnerability.
~ SERVICE PACK 1 CAUTION ~
We have received many horror stories from users who have had their Windows XP systems badly damaged by the installation of Service Pack 1.
Some users report that one system upgrades without trouble, whereas another is rendered nearly useless. So I want to be clear that I am neither recommending nor advising against the installation of Service Pack 1.
XPdite will easily and instantly cure the vulnerability it was designed to without any possible side effect or negative consequences. But as for Service Pack 1 . . . you are on your own. (I run nothing but Windows 2000.)
Overheard in our newsgroups ...
"[...] What kinda surprised me was that the MS tech rep informed me they were having a large problem with XP service pack 1, and not to install it."
An editor of a respected security organization ...
"Toshiba advised me to re-install XP from scratch to get rid of the service pack."
Win XP Update Crashes Some PCs ... PCWorld.com, September 20th.
Overheard in the Microsoft newsgroups ...
"I installed [SP1] on 9/19 (and followed all instructions and precautions) and from there on just went through major nightmares, it seems impossible to get SP1 off the system. The symptoms ... escalated to the point where the system became in-operable. Yesterday I spent 4.5 hours with a Tech from HP rescuing my system, as per HP: 3 out of 10 calls they receive are due to problems caused by SP1."The story continues . . .
Microsoft's original response to people (myself vocally among them) suggesting that they should offer a separate patch for this vulnerability was:
"Others have suggested that Microsoft should have released a patch in addition to including the fix in Service Pack 1. We did consider this as an option when we investigated the report. However, because of architectural details associated with Help and Support Center, building a patch for this particular issue would have required significant technology development."
This assertion by Microsoft was called into question by the fact that I wrote XPdite in half a day. XPdite completely cures this vulnerability and protects XP users from its exploitation. I didn't develop any "significant technology" to do it I just changed one insecurely designed file. That's all Microsoft had to do if they had wanted to.What may have really happened . . .
I believe that someone at Microsoft was probably too busy dealing with the many demands they face, and they simply screwed up. Despite the crushing responsibility they carry, they're only human. If we assume that this was simply an oversight, at this point liability concerns probably prevent them from admitting that they goofed. They may know this internally, but we'll never know whether they know, which makes trusting them just a little bit more difficult today than it was yesterday especially if this original decision was deliberate.The take away-lesson from this is: We need to watch our own backs. Microsoft will do what it can, but that won't be enough. And when asked afterward what happened, they won't be able to tell us the truth.
One month later . . .
Presumably due to pressure put on Microsoft by my creation of XPdite, which demonstrated for the entire world how easily this serious vulnerability could actually be fixed, coupled with all of the serious problems being experienced after XP's Service Pack 1 was installed, Microsoft officially reversed their earlier position and released a separate security patch to address this problem:
~ NEWS FROM MICROSOFT ~
Microsoft gets a clue: A little more than one month after the release of Service Pack 1 and after more than 180,000 downloads of our 30 kbyte "XPdite" exploit patcher Microsoft has apparently seen the light. Microsoft's Security Bulletin MS02-060 discusses this problem and provides a link to their own 1.35 megabyte patch for this problem.
Microsoft explains: "... we initially planned to deliver the fix for this issue only via Service Pack 1, but subsequently made the decision to also make it available as a patch. Although there were sound reasons for the original decision, we reconsidered based on feedback from our customers, who in some cases advised that they had not yet found sufficient time to deploy Service Pack 1."
So, please be advised that you now have a second alternative to the use of our 30 kbyte XPdite utility: You may download and apply Microsoft's official 1.35 megabyte patch.And, just to take this vulnerability out of the realm of theory . . .
~ EXPLOIT UPDATE ~
As feared and expected, just five days after the release of Service Pack 1, and the publication of this vulnerability's details by irresponsible web journalists, instances of malicious URLs for deleting all files from user directories started appearing on the Internet.
PLEASE be sure to inform your friends and associates who are using XP about the need to either update to Service Pack 1, or quickly run XPdite on their systems.What should you do?
Today, you have three choices:download and run the 30k XPdite program on your Windows XP system. it will instantly eliminate this critical vulnerability. XPdite only needs to be run once to secure your system from this trouble, after which if can be deleted from the system. In fact, if you right-click on the XPdite link and choose 'Open' or 'Run', you can run it without even installing it in your system.
(Please see the green "News From Microsoft" box above for the relevant links.)
However, now that Microsoft has addressed this vulnerability with their own patch, Service Pack 1 should not be applied merely as a remedy for this trouble. Given the troubles which have been caused by Service Pack 1, if you do not wish to use XPdite, you should probably use Microsoft's own patch. Perhaps at some point they'll release a service pack for the service pack.
