I found this at the Register's US site. I know many of you don't care = for the register but it is an interesting article anyway. It deals with = a exploit in Windows XP that could cause an entire hardrive to be wiped = clean. Sounds rather scary to me. Greg From The Register US: http://www.theregus.com/content/4/26272.html Win-XP Help Center request wipes your HD=20 By Thomas C Greene in Washington <mailto:tcgreene@xxxxxxxxxxxxxxxx>=20 Posted: 09/11/2002 at 08:28 EST A malicious Win-XP Help Center request can easily and silently delete = the contents of any directory on your Windows machine, we've learned. = Worse, MS has rolled the fix silently into SP1 without making a public = announcement. A good sketch of the problem in English, along with a = harmless self-test, can be found here = <http://24.78.2.184/helpcenter.htm>, thanks to Mike at = http://unity.skankhouse.org, who did some tinkering after noticing a tip = on a BBS.=20 Another, slightly earlier, mention comes from VSAntivirus = <http://www.vsantivirus.com/xp-files-del.htm>, but the page, = unfortunately, is en espa=F1ol, though there are some handy screen shots = in their bulletin.=20 The hole was discovered by Shane Hird of Distributed Systems Technology = Centre, who first reported it to MS on 25 June 2002. His bulletin = <http://www.security.nnov.ru/search/document.asp?docid=3D3370>, dated 15 = August, offers the most detailed view of the problem. He suggests that = fellow bug hunters look more deeply into the Help Center and its = mysterious powers, since requests can remotely open files with elevated = privileges. He offers a few hints about where one might start probing.=20 To verify the exploit all you need to do is pop the following request = into any address bar (IE, Win Explorer, etc): = hcp://system/DFS/uplddrvinfo.htm?file://c:\test\* and the directory = 'test' will be emptied after a couple of Help Center 'wizard' pages pop = up uselessly to distract you.=20 The example works as advertised, so anyone wanting to play with it = should create a test directory with copies of files. Of course you can = delete your entire root directory with this approach if you so choose. = Or someone else's.=20 The exploit is extremely dangerous because it looks to the casual user = just like a URL, and can be sent in an e-mail or set up as a link on a = Web page. Promising heaps of free pr0n in a busy IRC channel would also = likewise be effective.=20 To get rid of the vulnerability, you have two choices. You can install = XP's new SP1, which will give Billg remote root privileges on your box = by virtue of his new, Trojan EULA = <http://www.theregister.co.uk/content/4/26517.html> (and silently = re-enable some services you may have disabled like 'automatic update'); = or you can just go to C:\Windows\PCHEALTH\HELPCTR\SYSTEM\DFS\ and find = the file uplddrvinfo.htm. This you can simply delete or rename. But = beware of installing MS patches later on: these have a funny tendency to = restore files and settings outside their immediate purview, back to = Redmond defaults.=20 To check it out I did a clean install of XP and verified the exploit on = a virgin image. I then installed all of the XP patches and updates = except SP1, and it still worked. So SP1 is the only 'official' means of = fixing the hole. It's not otherwise been dealt with. Those who object to = the SP1 EULA on moral grounds will have to delete or rename = uplddrvinfo.htm, and do a search for it after subsequent patching to = verify that it's still gone.=20 Problems with the XP Help Center have been known for some time, at least = since November 2001, when this exploitable buffer overflow = <http://online.securityfocus.com/archive/1/241589> was first reported. = Now the issue has finally been fixed, in the background, with no = announcement from Redmond. This means that any XP user who doesn't = install SP1, and who never hears of the flaw, will remain vulnerable.=20 Redmond's handling of the issue is appalling. Apparently, 'Trustworthy = Computing' means never having to say you screwed up. =AE=20 ================================== To Unsubscribe, set digest or vacation mode or view archives use the below link. http://thethin.net/win2000list.cfm