Click any of the
images above for a full size view.
File
stats for: XPdite
|
|
|
|
Last Updated:
Size: 30k
|
Sep 17,
2002 at 09:22
(1,206.63 days ago)
|
Downloads/day: 239
Total downloads: 975,406
|
Current Rank: 6
Historical Rank: 7
|
|
|
|
What
is going on?
Ever since its original release, Windows XP has
contained a critical flaw that could be trivially exploited at any time by
any malicious hacker. By causing any Windows XP system to process a
specially-formed URL (web-style link), the XP system would obediently delete
all or most of the files within any specified directory. (That's not good.)
This flaw
is considered critical because these malicious URLs could be delivered to any
XP user through any means: via an eMail
solicitation, a chat room, a newsgroup posting, a malicious web page, or even
processed automatically without the user clicking anything by merely visiting
a malicious web page. (That's bad.)
Microsoft
was informed of this easily-demonstrated, quite significant, and easily fixed
Windows XP defect back in June of 2002. But they chose not to proactively
address the significant vulnerability created for their users until the
September 9th, 2002, release of Windows
XP's first service pack.
Since Windows
XP Service Pack 1 repairs
many more security, stability, and compatibility problems than just this
critical exploit, XPdite should not be considered a
replacement for the installation of the whole Service
Pack 1. However, reports are that XPdite is
much safer to use than Service Pack 1 (see Service Pack 1 caution below) so
it may be wise to approach the installation of Service Pack 1 with some
caution.
Since the
immediate installation of the huge Service Pack 1 may not be feasible for all
Windows XP users, or because its installation may cause serious side-effects,
and since this vulnerability is so trivially exploited and creates a significant
risk to all Windows XP users, I wrote this tiny, quickly and easily
downloaded vulnerability patch utility which can be used to instantly patch
and secure any Windows XP system against this vulnerability.
~ SERVICE PACK 1
CAUTION ~
We have received many horror stories from users who have had their
Windows XP systems badly damaged by the installation of Service Pack 1.
Some users report that one system upgrades without trouble, whereas
another is rendered nearly useless. So I want to be clear that I am
neither recommending nor advising against the installation of Service
Pack 1.
XPdite will easily and instantly cure the
vulnerability it was designed to - without any possible side effect or
negative consequences. But as for Service Pack . .
you are on your own. (I run nothing but Windows 2000.)
|
|
The
story continues . . .
Microsoft's original response to people (myself vocally among them)
suggesting that they should offer a separate patch for this vulnerability
was:
"Others have suggested that Microsoft should have
released a patch in addition to including the fix in Service Pack 1. We did
consider this as an option when we investigated the report. However,
because of architectural details associated with Help and Support Center,
building a patch for this particular issue would have required significant
technology development."
|
This assertion by Microsoft was called into question by the fact that I wrote
XPdite in half a day. XPdite
completely cures this vulnerability and protects XP users from its exploitation.
I didn't develop any "significant technology" to do it - I just
changed one insecurely designed file. That's all Microsoft had to do if they
had wanted to.
What
may have really happened . . .
I believe that someone at Microsoft was probably too busy dealing with the
many demands they face, and they simply screwed up. Despite the crushing
responsibility they carry, they're only human. If we assume that this was
simply an oversight, at this point liability concerns probably prevent them
from admitting that they goofed. They may know this internally, but we'll
never know whether they know, which makes trusting them just a little bit
more difficult today than it was yesterday - especially if this original
decision was deliberate.
The take
away-lesson from this is: We need to watch our own backs. Microsoft will do
what it can, but that won't be enough. And when asked afterward what
happened, they won't be able to tell us the truth.
One
month later . . .
Presumably due to pressure put on Microsoft by my creation of XPdite, which demonstrated for the entire world how
easily this serious vulnerability could actually be fixed, coupled with all
of the serious problems being experienced after XP's Service Pack 1 was
installed, Microsoft officially reversed their earlier position and released
a separate security patch to address this problem:
|