SP1: gangs of fun

I have to warn you about a serious security weakness that affects every XP installation. This problem allows a malicious person to erase all the files in an entire Windows XP folder merely by sending victims an email, no attachment required.

I've reported on patches over the past five weeks, especially the latest service packs for Windows 2000 and XP, which contain new licence language. SP3 for Windows 2000 gives Microsoft the right to issue fixes "that will be automatically downloaded to your computer".

SP1 for XP had the same language during beta testing, but the final text now says SP1 will install "technological measures that are designed to prevent unlicensed use".

It's these new "measures" in XP SP1 that we'll scrutinise in this and upcoming columns.

First, I have to warn you about a serious security weakness that affects every XP installation. This problem allows a malicious person to erase all the files in an entire Windows XP folder -- such as 0C:\Windows -- merely by sending victims an email, no attachment required.

I'm choosing not to say exactly how to do this. But the gist is that Microsoft has created a new protocol it calls hcp:// for the Help and support centre introduced in XP. This protocol can be initiated by a web page or an email. Help then runs with elevated privileges, to devastating effect.

This hole is closed if you install SP1. But many people aren't embracing SP1 because it involves a 30MB to 140MB download and has a bad reputation due to its many quirks (more on them later).

Although Microsoft has known of the Help flaw at least since June, "for inscrutable reasons they chose not to proactively act to close the hole before SP1", says white-hat hacker Steve Gibson.

As a result, Gibson has posted an explanation and a small 30KB utility called XPdite. This utility tests for and patches only vulnerable XP systems. XPdite can be inserted by system admins into corporate log-on sequences to fix all their XP machines.

Those quirks I mentioned above include the fact that installing SP1 breaks a surprising number of things. For instance, reader John Galus found that running SP1 shuts down the "multiple identity" feature of Outlook Express. Microsoft has confirmed this and offers a workaround here.

Bruce Kratofil, my Windows 2000 Secrets co-author, notes that two dozen SP1 installation issues are already documented here. He warns, "There could be a whole lot of grief if this stuff gets automatically updated without you knowing about the issues ahead of time."

That brings us to the new technological measures SP1 adds to automatic updates of XP. In a nutshell, your numeric "product key" is now sent back to Microsoft via the internet when XP's product activation is run with SP1 present. If a corporate product key was used to illegally install a copy of XP, a download of SP1 will refuse to run. Most interesting, Microsoft will be able to ban certain keys in the future, which could prevent updates and/or activations.

We'll look at the implications of that next week.

Send tips to contributing editor, Livingston. He regrets that he cannot answer individual questions. Send letters for publication in Computerworld to Computerworld Letters.

Join the newsletter!

Error: Please check your email address.

Tags Window Manager

More about LivingstonMicrosoft

Show Comments

Market Place

[]