If you are wondering why you should upgrade your xp to sp1, read this.

 Disturbing Windows XP Security Bug (by T.J. Lee)

Okay, everything Microsoft has a security bug so why should
Windows XP be any different? Regular TNPC readers know I don't go
in for a lot of "the sky is falling" hype every time someone
figures out some esoteric macro virus or other non-event. But
this issue with Windows XP is serious enough for even me to take
notice.

I run XP on my office laptop (yes, complete with the Fischer-
Price interface, hey, you get used to it) so when my boss told me
about this problem I was interested and looked into it. Microsoft
is keeping pretty quite on the mechanics of the security flaw but
it centers on a file that installs with Windows XP called
UPLDRVINFO.HTM. This file is part of the Windows XP Help system.
There's a script in this file that can be called from a snippet
of code that allows the calling application to specify a file, or
a folder, to be deleted.

This code can be a link on a Web page, it can be a link in an
HTML email message, or it can triggered by a rigged Web page
whereby all you have to do to get stung is to display the page in
your browser. The name of the file or folder to be deleted is
passed to the script so that filename or folder name has to be
known by the bad guys in advance. This limits the destructive
capability to known folders such as the Windows or System folder
which can quickly cripple your computer.

When the script is activated a browser window pops up and
displays the Microsoft Help and Support Center page. What is not
apparent is that it has already deleted the target files. If the
Windows folder was hosed and you shut down the system it won't
come back up.

Microsoft has known about this problem for some time but has been
very closed-mouthed about since once hackers know that
UPLDRVINFO.HTM is involved it is easy to go study that file and
figure out how to started deleting unsuspecting Windows XP users'
files. The rest of the security professionals have gone along
with Microsoft until a patch or workaround was found. There are
now several solutions to this bug and if you are running Windows
XP you should implement one.

First, and easiest, is to just rename the UPLDRVINFO.HTM file.
While this is a bit of a band-aid approach it is preferable to
doing nothing about this problem. Another, and more comprehensive
solution, is to install the Windows XP Service Pack 1 upgrade.
The only downside to the SP1 fix is that it's a "version 1" of a
service pack and Microsoft has been known to break more things
than fixed in initial service packs. But I've installed SP1 on my
laptop and have not had any major issues but be aware there is a
LOT of negative buzz about SP1.

Microsoft, perhaps realizing that SP1 is not all it could/should
be has also issued a patch last month to address this security
flaw. It's a 1 megabyte plus patch and you can find it here:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=43681

However, if you're going to go the patch route consider the fix
put out by Steve Gibson called XPdite. It's a 30k file so it's
immensely faster to download and apply than the Microsoft patch
and even more so when compared to the 135 megabyte Windows XP
Service Pack 1 upgrade. You'll find Steve's XPdite here:
http://www.TheNakedPC.com/t/524/tr.cgi?jim1

If you want to see this XP bug in action check out this TechTV
video clip:
http://cgi.techtv.com/mediamodule?action=view&version=20020910095
425&video_src=/thescreensavers/2002/ss020909c&width=320&height=24
0&vidsection=3200042&add_date=1031641200&start=&end=&duration=&bi
trates=
http://www.TheNakedPC.com/t/524/tr.cgi?jim2

You can reach T.J. Lee at:
mailto:[log in to unmask]


VICUG-L is the Visually Impaired Computer User Group List.
To join or leave the list, send a message to
[log in to unmask]  In the body of the message, simply type
"subscribe vicug-l" or "unsubscribe vicug-l" without the quotations.
 VICUG-L is archived on the World Wide Web at
http://maelstrom.stjohns.edu/archives/vicug-l.html