Log in

View Full Version : Security hole in XP that requires SP1?


Ed Hansberry
09-11-2002, 02:18 AM
<a href="http://grc.com/default.htm">http://grc.com/default.htm</a><br /><br />Steve Gibson has posted an alert on his web site about a very serious security hole in Windows XP (Home and Pro) that is apparently pretty easy to exploit. Tech TV's <a href="http://www.techtv.com/screensavers/opinion/story/0,24330,3399049,00.html">The ScreenSavers discussed it last night</a> and posted some additional information.<br /><br /><img src="http://www.pocketpcthoughts.com/images/hansberry/2002/20020910-opendoor.jpg" /><br /><i>Is your computer open?</i><br /><br />Apparently, Microsoft has known about this for months according to The ScreenSaver's site but has not provided a hotfix. It has however been fixed in SP1. The ScreenSaver's posted enough information to allow you to quickly fix the issue until you can download the massive service pack, which is approximately 30MB if you use the express install (depending on services and options installed) and 133MB for the full meal deal. I am downloading it now and it is going very slowly over my DSL connection. I supposed MS's servers are a bit strained between XP SP1 and IE6 SP1 being released this week. In doing so, The ScreenSavers may have given enough information to give a script kiddie enough info to exploit the hole.<br /><br />So, any XP or HTML gurus here that know any more about this situation and how valid the alert is?

Ed Hansberry
09-11-2002, 02:47 AM
Think this isn't valid? I wonder why Google removed all reverences to this file name from its search engine prior to the release of SP1?

msprague
09-11-2002, 02:52 AM
In doing so, The ScreenSavers may have given enough information to give a script kiddie enough info to exploit the hole.

Screensavers was not the first to make this public. Here is a report that gave all the details on August 15. The alert is definitely valid.
http://security-archive.merton.ox.ac.uk/bugtraq-200208/0223.html

ThomasC22
09-11-2002, 02:59 AM
In doing so, The ScreenSavers may have given enough information to give a script kiddie enough info to exploit the hole.

Screensavers was not the first to make this public. Here is a report that gave all the details on August 15. The alert is definitely valid.
http://security-archive.merton.ox.ac.uk/bugtraq-200208/0223.html

You know, for a company that has supposedly focused itself on security and stability, they aren't doing the best job so far (You would think a company that valued these things would manage to post a hot fix within a few days not a couple months).

Ed Hansberry
09-11-2002, 02:59 AM
Wow. Thanks msprague. This seems very nasty. Well, still downloading. :sleeping:

splintercell
09-11-2002, 03:02 AM
Not touching on the validity of this particular alert, but Steve Gibson is a damn panic monger.

Janak Parekh
09-11-2002, 03:04 AM
At least it's not a buffer overflow. This is more of a "misfeature". In my opinion, network code that trips a buffer overflow should have the originating programmer (or organization, if marketing/management didn't let a proper design go through) shot. There's no excuse for using unbounded string-handling functions nowadays.

In any case, Microsoft definitely has bright engineers, but the company's relentless feature-adding makes it difficult for them to keep up security. Their focus on integration stems from pre-Internet days; UNIX, on the other hand, tends to be a looser federation of services, with more explicit user separation, and as a result tends to be less vulnerable to exploits like this.

Let's just hope that MS, given time, will evolve as UNIX platforms did through their tough times and make more secure products. Since neither platform is going anywhere, it's all in our best interest to see a greater emphasis on security.

I'm glad I downloaded the network install of XP SP1 yesterday, when it came out :D Time to start the install rounds tomorrow... oh, by the way, those of you who have pirated copies of XP won't be able to install SP1--it checks for illegal keys and such. (Of course, I'm sure crackers are hard at work on "fixing" this.)

--bdj

Ed Hansberry
09-11-2002, 03:05 AM
Not touching on the validity of this particular alert, but Steve Gibson is a damn panic monger.
Which is why I was leery of posting this. I've since talked to a few people in the know on this and this is valid and scary, and relatively easy to exploit if you know scripting.

Rob Borek
09-11-2002, 03:05 AM
Not touching on the validity of this particular alert, but Steve Gibson is a damn panic monger.

Agreed. He can regurgitate and rant and rave at Microsoft and cause paranoia, but that's about it - he's not a security expert.

Janak Parekh
09-11-2002, 03:06 AM
Agreed. He can regurgitate and rant and rave at Microsoft and cause paranoia, but that's about it - he's not a security expert.
He's not a total security novice - he's actually a pretty damned competent programmer and has done some really cool work - but he is definitely the Chicken Little of the security industry. :lol:

--bdj

ctmagnus
09-11-2002, 03:14 AM
I am downloading it now and it is going very slowly over my DSL connection.


That's what download accelerators are for :)

ThomasC22
09-11-2002, 03:16 AM
I am downloading it now and it is going very slowly over my DSL connection.


That's what download accelerators are for :)

DSL Download Accelerators? I'm thinking that wouldn't do all that much good.

Ed Hansberry
09-11-2002, 03:18 AM
That's what download accelerators are for :)
No thanks. I don't need the spyware.

Pony99CA
09-11-2002, 03:50 AM
If you don't have time to download the XP Service Pack or have problems with their wonderful license check (like some people on "The Screen Savers" did), I'm going to tell you how to fix the problem. I hope this isn't considered a bad thing (the BugTraq link included in one post gave this information, but the fix was buried).

(NOTE: I'm using Windows 98 SE, so I can't verify this, but they did show it work on "The Screen Savers".)

1. Find the file called uplddrvinfo.htm. It's probably in your \Windows hierarchy.

2. Rename that file to something else (like uplddrvinfo.htm-x).

That should fix the problem.

Steve

Ed Hansberry
09-11-2002, 04:03 AM
1. Find the file called uplddrvinfo.htm. It's probably in your \Windows hierarchy.

2. Rename that file to something else (like uplddrvinfo.htm-x).

That should fix the problem.

Steve
My understanding is that should be temporary. That file I think is necessary for adding new hardware to XP.

Pony99CA
09-11-2002, 04:15 AM
Not touching on the validity of this particular alert, but Steve Gibson is a damn panic monger.

Agreed. He can regurgitate and rant and rave at Microsoft and cause paranoia, but that's about it - he's not a security expert.
What exactly qualifies someone as a "security expert"? Gibson has many security checking programs on his Web site, and is a damned fine programmer (how many other people do you know that code for Windows in assembler?).

Gibson also gives a lot of his utilities away for free, and has been helping people for years.

I see you're a Microsoft MVP, so I'll assume you also help people. Maybe you're just biased in this case, either because Microsoft made you an MVP or because of some issue with Gibson; I hope you don't normally trash someone who tries to help the common user keep their data safe. :-(

Steve

ctmagnus
09-11-2002, 04:18 AM
That's what download accelerators are for :)
No thanks. I don't need the spyware.

That's what Ad-aware is for :)

Pony99CA
09-11-2002, 04:24 AM
1. Find the file called uplddrvinfo.htm. It's probably in your \Windows hierarchy.

2. Rename that file to something else (like uplddrvinfo.htm-x).

That should fix the problem.

Steve
My understanding is that should be temporary. That file I think is necessary for adding new hardware to XP.
I certainly hope it's not a critical file. The information on "The Screen Savers" and what I read from the BugTraq post said it was just part of the Help Center for Windows XP.

I would hope that people wouldn't be suggesting renaming (or, worse, deleting) critical system files. In fact, doesn't XP actually prevent removing critical system files?

I do agree that this should be temporary, though. I hope that Microsoft will release a fix for just this problem (for users without broadband access or those having license key problems). Anything less is fairly irresponsible, I believe, especially given Microsoft's putative commitment to security.

Steve

Rob Borek
09-11-2002, 05:51 AM
What exactly qualifies someone as a "security expert"? Gibson has many security checking programs on his Web site, and is a damned fine programmer (how many other people do you know that code for Windows in assembler?).

Gibson also gives a lot of his utilities away for free, and has been helping people for years.

I see you're a Microsoft MVP, so I'll assume you also help people. Maybe you're just biased in this case, either because Microsoft made you an MVP or because of some issue with Gibson; I hope you don't normally trash someone who tries to help the common user keep their data safe. :-(

First off, glad he can program in assembler, because the one program he DID program in assembler has been debunked by many other experts as useless, unnecessary, and "do-nothing".

Steve just LOVES to bash Microsoft. I was at the first Gnomedex where he bashed Microsoft every chance he gets. His pet project at the time was the fact that Win2k/WinXP had a raw sockets implementation (like all UNIX machines), and it would result in an explosion of DoS attacks, and that Microsoft was irresponsible for placing a raw sockets implementation in WinXP. Every security expert I can find railed on him for his hysteria and lack of knowledge of the issue.

I remember when he started saying that the fact that a Windows machine that had ports responding for NetBIOS was evil and that they had to remove the Microsoft Client from their Networking stuff. Pure hysteria.

He's a lot of hot air, not a lot of substance. Every security expert I talk to rails on Steve Gibson. I railed on him over his "WinXP raw sockets" hysteria - he regurgitated a lot of info about DDoS, but pretty much all of it was regurgitated from another Web site, and he changed some stuff around to make it look OK but screwed up the technical issues in the process.

So... I'm not the only one trashing him. Every security expert trashes his work. He's a pure PR machine - it's self-serving for him. He calls himself a "security expert" because his server was the subject of a DDoS attack. Gee, guess I'm now a doctor because I took care of a cut on my finger :roll:

Terry
09-11-2002, 06:48 AM
I still have a bad taste about Gibson from back in the Spinright days...he advertised in a now defunct mag callled Microcornucopia but then stopped his ads when the Editor called into question whether a newer version of Spinright actually worked correctly. Gibson later fixed the problem uncovered by the Micro-C staff but never returned to adverstise or thank them (as I recall...or I may be completely mixed up...I can't even remember what Spinright acutally did...).

Terry
ex-Microsoft MVP
now just a regular 'ol JOE

harry
09-11-2002, 07:30 AM
I got through loading both updates (IE SP1 and XP SP1) without a hitch. But it did take forever to download from MS. Maybe it was because I was doing my laptop and desktop concurrently... :?

Jonathon Watkins
09-11-2002, 09:12 AM
I still ocasionally use Spirite. There have been a few times that Norton has been unable to fix a bad cluster and has maked it as bad and unusible. Running Spinrite has fixed it - a low level scan showed that the bad clusters had gone. Spinrite once removed 6 bad clusters on a HD that Norton and scndisk could not remove or relocate. It does seem to work & certainly seems to give decent quick & dirty HD benchmarks.

Cybercop
09-11-2002, 09:20 AM
I downloaded this service pack after watching screen savers and not only did it take 30 minutes to install with a T1 connection but it slowed my PC down AND deactivated my KEY for XP Home after two reboots and would not let me back into the OS. Gates you and your team of money whores suck!!! :evil:
I spent the rest of the evening reformating and reinstalling this stupid oS all night along with all my software.

I would suggest you just change the HTM file that is the security leak and you will be done with it. Watch it it will screw you up BAD!!!

Janak Parekh
09-11-2002, 02:36 PM
I downloaded this service pack after watching screen savers and not only did it take 30 minutes to install with a T1 connection but it slowed my PC down AND deactivated my KEY for XP Home after two reboots and would not let me back into the OS. Gates you and your team of money whores suck!!! :evil:
It's supposed to do that for illegal keys or cracked copies only. If you have a legit #, you should have called Microsoft instead of wasting all that time :)

Also, you'll need SP1 eventually, as pre-SP1 XP will eventually be unsupported.

--bdj

rocuf
09-11-2002, 02:41 PM
I got through loading both updates (IE SP1 and XP SP1) without a hitch. But it did take forever to download from MS. Maybe it was because I was doing my laptop and desktop concurrently... :?

Has anyone noticed that it takes longer to startup their system after installing sp1. My system seems like it take forever to go from logon to harddrive not spinning since the IEsp1 and xpsp1. Has anone else heard of anthing similar. I got a pretty good rig amd1800/512/40gb

Jonathon Watkins
09-11-2002, 02:51 PM
That’s not good – and I was going to put them both on tonight. Hmmm – I may hold off for now until more reports come in. Anyone else?

Ed Hansberry
09-11-2002, 03:15 PM
Has anyone noticed that it takes longer to startup their system after installing sp1. My system seems like it take forever to go from logon to harddrive not spinning since the IEsp1 and xpsp1. Has anone else heard of anthing similar. I got a pretty good rig amd1800/512/40gb
Leave your system on for 3-4 days. The prefetch cache is totally hosed after the SP1 application and XP must redo it. Sometime in the next 72 hrs, your HD will go nuts for a few minutes (or hours) and boot speed will be back to normal. Good idea to defrag after the optimization has occurred.

Jonathon Watkins
09-11-2002, 03:46 PM
Good info - thanks for that Ed. I'll do them both tonight after all then. :D

Jason Dunn
09-11-2002, 04:13 PM
I installed SP1 over the weekend and didn't have any problems...haven't installed the IE6 patch yet.

Ed Hansberry
09-11-2002, 04:21 PM
I installed SP1 over the weekend and didn't have any problems...haven't installed the IE6 patch yet.
From what I understand, the IE6 SP1 in included in XP SP1.

Janak Parekh
09-11-2002, 05:19 PM
Leave your system on for 3-4 days. The prefetch cache is totally hosed after the SP1 application and XP must redo it. Sometime in the next 72 hrs, your HD will go nuts for a few minutes (or hours) and boot speed will be back to normal. Good idea to defrag after the optimization has occurred.
Ah, THAT's what the swapping is! I've been wondering awhile. Do you happen to have a link on that?

BTW - I did try to install IE6SP1, and it seemed to install only one or two things, and flew thru. Might be worth doing Help, About and seeing if "Update Versions:" contains SP1, Jason - that's where it appears.

thanks,

--bdj

Ed Hansberry
09-11-2002, 05:33 PM
Ah, THAT's what the swapping is! I've been wondering awhile. Do you happen to have a link on that?

BTW - I did try to install IE6SP1, and it seemed to install only one or two things, and flew thru. Might be worth doing Help, About and seeing if "Update Versions:" contains SP1, Jason - that's where it appears.
See http://www.microsoft.com/windowsxp/pro/techinfo/articleindex.asp for general XP stuff, and "Startup Performance" at http://www.microsoft.com/windowsxp/pro/techinfo/planning/performance/default.asp in particular.

On IE updates, if Windows Update doesn't have anything for you, you have the latest. No need to try and find stuff. :)

rocuf
09-11-2002, 09:27 PM
Thanks Ed, As always you have the answer :)

rocuf
09-11-2002, 10:16 PM
Ed do i need to be logged on at night or will it run when the system is at the logon screen?

Thanks in advance

Ed Hansberry
09-11-2002, 10:25 PM
Ed do i need to be logged on at night or will it run when the system is at the logon screen?
Either way, but it works better if you are logged out. Less files in use so it can do a better job.

Jonathon Watkins
09-11-2002, 10:36 PM
We'll I'm now posting from my patched XP instaltion - and I did not notice any slowdown truth be told. You were right about the IE6 patch being rolled into the XP SP1. I am now on xpsp1 for IE 6. Thanks. :D

Ed Hansberry
09-11-2002, 11:07 PM
We'll I'm now posting from my patched XP instaltion - and I did not notice any slowdown truth be told. You were right about the IE6 patch being rolled into the XP SP1. I am now on xpsp1 for IE 6. Thanks. :D
I think it depends on how much free drive space you have and how much you keep it defragged. Mine is pretty clean. It boots a bit slower, but not much.

If it is slow, you can also check the event log to see if anything is recorded there like a driver or service not initializing.

Pony99CA
09-12-2002, 06:42 AM
What exactly qualifies someone as a "security expert"? Gibson has many security checking programs on his Web site, and is a damned fine programmer (how many other people do you know that code for Windows in assembler?).

Gibson also gives a lot of his utilities away for free, and has been helping people for years.

I see you're a Microsoft MVP, so I'll assume you also help people. Maybe you're just biased in this case, either because Microsoft made you an MVP or because of some issue with Gibson; I hope you don't normally trash someone who tries to help the common user keep their data safe. :-(

First off, glad he can program in assembler, because the one program he DID program in assembler has been debunked by many other experts as useless, unnecessary, and "do-nothing".

One program? I believe Gibson writes all of his Windows software in assembler, and the stuff I've seen from him has been pretty good (I'm not just talking about security software, mind you, but his total body of work).

I also noticed that you didn't mention which program you're referring to.


Steve just LOVES to bash Microsoft. I was at the first Gnomedex where he bashed Microsoft every chance he gets.

Perhaps, but not liking Microsoft doesn't mean that he's wrong.


His pet project at the time was the fact that Win2k/WinXP had a raw sockets implementation (like all UNIX machines), and it would result in an explosion of DoS attacks, and that Microsoft was irresponsible for placing a raw sockets implementation in WinXP. Every security expert I can find railed on him for his hysteria and lack of knowledge of the issue.

It's funny, because Gibson was on "The Screen Savers" tonight, and talked about this. His point wasn't that Windows XP had raw sockets, it's that all home users were in admin mode by default and that's where raw sockets are allowed. In Windows 2000 and UNIX, most users aren't admin, and therefore don't have raw sockets.

I'm not a communications guru, so I'm only saying what Gibson said, but it sounds like raw sockets allow a hacker to make an attack untraceable. If an attack is untraceable, his contention seems to be that more people will be willing to try them. It at least sounds logical. Of course, that doesn't mean his prediction will come true, but why risk it?


He's a lot of hot air, not a lot of substance. Every security expert I talk to rails on Steve Gibson. I railed on him over his "WinXP raw sockets" hysteria - he regurgitated a lot of info about DDoS, but pretty much all of it was regurgitated from another Web site, and he changed some stuff around to make it look OK but screwed up the technical issues in the process.

Well, it seems like there's a lot of hot air from you, too. I haven't seen you give many facts on why he's wrong. You didn't mention what that worthless program was, and you haven't defined what makes someone a "security expert" (like I asked previously).

I'm not enough of a communications geek to know if he's right or wrong, but as a professional programmer myself, what he says makes sense. Also, if someone gives me facts, I know how to check them.

By the way, I'm curious -- what exactly do you do?


So... I'm not the only one trashing him. Every security expert trashes his work. He's a pure PR machine - it's self-serving for him. He calls himself a "security expert" because his server was the subject of a DDoS attack. Gee, guess I'm now a doctor because I took care of a cut on my finger :roll:
At least you admit you are trashing him....

Clifford Stoll was an astronomer (I think) until he noticed a discrepancy in his computer usage, then he learned about computer security. He may not be an "expert", but he's not a novice, either. Gibson has been a programmer for as long as I can remember (early 80s), which gives him a leg up on Stoll for understanding these things, I think.

Steve

Andrew Duffy
09-12-2002, 01:57 PM
Steve Gibson is a self-publicist but there are a lot of big egos that post to this board as well.
The fact that XP has vastly increased the number of very capable machines on which to run DDoS trojans is true and very worrying. If anyone other than Gibson had pointed it out I'm sure more people would have rallied to convince MS to ship XP home edition with a more secure default setup.

Ed Hansberry
09-12-2002, 02:04 PM
Lets lay off the Gibson bashing. Say what you want, he is dead nuts on with this security flaw. Use Windows XP sans SP1 at your own risk.

Janak Parekh
09-12-2002, 03:24 PM
It's funny, because Gibson was on "The Screen Savers" tonight, and talked about this. His point wasn't that Windows XP had raw sockets, it's that all home users were in admin mode by default and that's where raw sockets are allowed. In Windows 2000 and UNIX, most users aren't admin, and therefore don't have raw sockets.
Actually, I'm not sure Windows 2000 has a raw socket implementation without external libraries; besides, most home installs of W2k do have their users running as Admin.

In any case, near-any-user access to raw sockets is worrying. Nothing's happened yet, but it does enable one to write a worm that not only propagates over email, but uses raw sockets to launch DDoS, port scan, and other attacks while spoofing the IP address, etc. more easily.

For reference, a "raw socket" is one where you construct the IP packet manually, instead of constructing a TCP or UDP socket. The latter usually require you to set the source IP address and associated fields correctly, else it won't let you send out the packet. A IP packet constructed through a raw socket can be set up in a million ways, though, and things like IP spoofing are accomplished through raw sockets.

--bdj

ceek
09-12-2002, 11:50 PM
Just doing a quick search on Steve, pulled up these two sites:

http://cable-dsl.home.att.net/netbios.htm#ShieldsUp (http://www.grcsucks.com/)

and http://www.grcsucks.com/

They both give interesting perspectives on Steve Gibson that debunk his many claims and hysteria..