<IMG src="i/expressions/face-icon-small-confused.gif" border=0><FONT size=2> <BR>DAMNED IF YOU DO,AND DAMNED IF YOU DON'T<BR><P></P>Although i dont have Windows XP myself yet,in view of recent postings i think you should be aware of a couple of issues discussed in these extracts from various newsletters. hope they are of help.<BR><P></P>--------------------------((( FIRST EXTRACT)))----------------------------------<BR><P></P>A malicious Win-XP Help Center request can easily and silently delete the contents of any directory on your Windows machine. Worse, MS has rolled the fix silently into SP1 without making a public announcement. Bug hunters should look more deeply into the Help Center and its mysterious powers, since requests can remotely open files with elevated privileges.To verify the exploit all you need to do is pop the following request into any address bar (IE, Win Explorer, etc): hcp://system/DFS/uplddrvinfo.htm?file://c: est* and the directory 'test' will be emptied after a couple of Help Center 'wizard' pages pop up uselessly to distract you. The example works as advertised, so anyone wanting to play with it should create a test directory with copies of files. Of course you can delete your entire root directory with this approach if you so choose. Or someone else's. The exploit is extremely dangerous because it looks to the casual user just like a URL, and can be sent in an e-mail or set up as a link on a Web page. Promising heaps of free porn in a busy IRC channel would also likewise be effective. <BR><BR>To get rid of the vulnerability, you have two choices. You can install XP's new SP1, which will give Billg remote root privileges on your box by virtue of his new, Trojan EULA (and silently re-enable some services you may have disabled like 'automatic update'); or you can just go to C:WindowsPCHEALTHHELPCTRSYSTEMDFS and find the file uplddrvinfo.htm. This you can simply delete or rename. But beware of installing MS patches later on: these have a funny tendency to restore files and settings outside their immediate purview, back to Redmond defaults. To check it out I did a clean install of XP and verified the exploit on a virgin image. I then installed all of the XP patches and updates except SP1, and it still worked. So SP1 is the only 'official' means of fixing the hole. It's not otherwise been dealt with. Those who object to the SP1 EULA on moral grounds will have to delete or rename uplddrvinfo.htm, and do a search for it after subsequent patching to verify that it's still gone. <BR><BR>Problems with the XP Help Center have been known for some time, at least since November 2001, when this exploitable buffer overflow was first reported. Now the issue has finally been fixed, in the background, with no announcement from Redmond. This means that any XP user who doesn't install SP1, and who never hears of the flaw, will remain vulnerable. <BR><P></P>----------------------------((( SECOND EXTRACT )))-------------------------------<BR><P></P>SP1 also contains updates from Microsoft's 'Trustworthy Computing' code review. In this area, a controversial feature is the presence of Microsoft's strict End User License Agreement (EULA). Under the terms of the agreement, Microsoft reserves the right to automatically download OS components onto your computer that may - in the name of securing content - disable your ability to copy or play certain software. THIS OPENS A HUGE BACKDOOR WAITING TO BE EXPLOITED - STICK WITH PLAIN XP!<BR><P></P>Also within SP1 - to try clamping down on software piracy - is a product activation system that <U>detects leaked activation codes</U>. XP installations using <U>the illegally cloned software</U> (with the well known keys) will <U>be rejected by the service pack.<BR><P></P></U>Windows XP SP1 is available to the general public from the Windows XP Web site or on CD by request. It will weigh in at <U>a mighty 133Mb</U>.<BR><BR><P></P>---------------------------------- why am i always thinking of 'animal farm','1984' and 'the great dictator' nowadays?<BR><P></P><BR>&nbsp;<BR><P></P><BR>&nbsp;<BR><P></P></FONT><FONT face="Times New Roman" size=2><BR>&nbsp;<BR><P></P></FONT>

Around the same time, there were new service packs for the other OSs. I grabbed the SPs for win98 and win2000. Do you suppose they also have this active EULA?<BR><BR>I heard about the EULA thingy long ago on the radio. I don't care for the idea of people claiming MY computer as their domain. I bought the parts, I put it together, and I went through a lot of crap to get it to work the way I want it to. IT'S MINE!!! <BR>

<img src="i/expressions/face-icon-small-mad.gif" border="0">&nbsp;&nbsp; just goes to show<BR>&nbsp;&nbsp;&nbsp; there's no way to know<BR>&nbsp;&nbsp;&nbsp;&nbsp;less something slips out<BR>&nbsp;&nbsp;&nbsp; - bring back thumbscrews!

now i'm gonna have to decide if i want to actually install SP1... based on articles you posted auld, i would say hell no, but 133 mb isn't just this EULA code.<BR><BR>what are the good parts of SP1? is it just more endless device drivers? or are there real benefits (i.e. WMP 9)?<BR><BR>also, this uplddrvinfo.htm will be gone from my comp shortly, but what about it or other files that enable the active EULA after installing SP1? there's gotta be files you can clean out that sp1 puts on your comp, right?

Apearantly, the Media Player "security" update has the same deal. It fixes a few holes, and provides the active EULA. Same deal with win2000 SP3, though I believe (don't know for sure) that you can disable it in win2000 by disabling the autoupdate. (this live update thingy is new; it comes with SP3.) And, I believe that in winXP (again, I don't know for sure) you can disable it by getting rid of that file, which was named in Auld's post, and disabling autoupdate.<BR><BR>De Ja Vu... <img src="i/expressions/face-icon-small-shocked.gif" border="0">

SP1 is not a big deal, it has helped my system.<BR><BR>You can shut off Auto-Updates, and with XP-Antispy you can also shut off the Media Player ID#, and eliminate Alexa from IE.<BR><BR>There are a couple updates after SP1 to plug the newer holes, so get them too.

<img src="i/expressions/face-icon-small-smile.gif" border="0">&nbsp;&nbsp; hope this answers your queries. (trawled from another newsletter):-<BR><BR>&nbsp;"SERVICE PACK SECURES XP<BR>Windows XP Service Pack 1 (SP1) brings together all of the security fixes and updates issued since the operating system shipped last year, as well as some minor changes to comply with rulings from the long-running antitrust case in the US. Windows XP SP1 contains relatively few new features, but rather focuses on improving security and enhancing the user's experience,with all patches and updates now rolled into a single download.<BR>However, some changes have been made to improve application compatibility. A&nbsp;lot of applications that were problematic before, now work out of the box. SP1 also contains all updates resulting from the Windows code review conducted earlier this year as part of Microsoft's Trustworthy Computing security initiative.<BR>&nbsp;Another new feature is a tool that lets users hide some Windows&nbsp;components,&nbsp;such as Internet Explorer, Windows Media Player and Outlook Express,and&nbsp;make rival software such as Netscape's Navigator browser the default&nbsp;application for Web browsing.&nbsp;This delivers changes required by a decree signed with the US Department of&nbsp;Justice last November. However, the new feature simply removes the<BR>application icons from the Windows desktop and program menus - it does not uninstall the Microsoft applications.<BR>Windows XP SP1 will serve as the foundation for forthcoming Microsoft&nbsp;initiatives such as the pen-driven Tablet PC and Windows Powered Smart&nbsp;Displays,which let users access their computer from a short distance away,&nbsp;typically using a wireles LAN&nbsp;&nbsp; connection."<BR><BR>and i bet the big bad wolf told the three little pigs he was an interior decorator.<BR>

<img src="i/expressions/face-icon-small-happy.gif" border="0"><BR>heads up,lads! <BR>here's some more info to keep you loving XP.<BR>go to&nbsp;&nbsp; <FONT size=2><A href="http://xp-refresh.net/">http://xp-refresh.net/</A> </FONT>

Auld: I read that page and filled out that suggestion form. Do you find it interesting Microsoft leaves out eye strain in their erganomics information section at their website?

<img src="i/expressions/face-icon-small-cool.gif" border="0"><BR>hi,zog!<BR>your question raises two points:-<BR>ONE:-&nbsp; they are getting impatient of waiting to kill-off everyone by blood pressure and the blue screen of death,not to mention trapdoors and viruses&nbsp; (and they have been sneaky enough&nbsp;with those).&nbsp;<BR>TWO:-&nbsp; so they are now trying to blind us as well<BR><BR>have a nice day!<BR><img src="i/expressions/face-icon-small-happy.gif" border="0">

M$ is gonna do what they are gonna do. it's all in the EULA. hell, even media player can screw you. it's no biggie (if you know what to do).<BR><BR>do what WDB said... and get XP Anti-Spy from <a target=new class=ftalternatingbarlinklarge href="http://www.xp-antispy.de/index.html?/news-e.htm">here.</a> has a bunch of different features that you can "kill" (including getting rid of MS Messenger).<BR><BR>Also, as far as all the other crap, get yourself some sort of software firewall (free Zone Alarm 3.1 will do), and turn off the built-in XP firewall (only blocks incoming traffic). Turn off automatic updates (in system properties). Another thing you will want to do is go to your Administrative Tools, then services. Disable the "Remote Registry Access" service. It's ghay (not that there's anything wrong with the <img src="i/expressions/face-icon-small-wink.gif" border="0">), and unless you really need to use it (do you?), it's useless.<BR><BR>as far as the uplddrvinfo.htm file, just do a search (mind you, i never have had this file on my XP machine at home), and rename it uplddrvinfo.htm.bak or something similar. problem solved (as if there is such a thing when dealing with an M$ product).<BR><BR>it's funny that soooo many ppl are worried about this:<BR><br><br><< <i>Also within SP1 - to try clamping down on software piracy - is a product activation system that detects leaked activation codes. XP installations using the illegally cloned software (with the well known keys) will be rejected by the service pack.</i> >><br><br><BR>uh, isn't that OK for M$ to not allow the install of SP1 on computers using a hacked OS? goof balls. go beat up your local college student, and make them go into the bookstore to buy you a $10 copy of XP. cheap bastards. <img src="i/expressions/face-icon-small-happy.gif" border="0"><BR><BR>btw... i have an XP machine at both work and home (along with all the other various OS's that are being run). i've installed SP1 on both, and never had a problem. actually made the OS a little more stable (although it was "rock" before).<BR><BR>i truly understand the concerns, and am by no means a M$ fan. i personally think they can take that EULA and stick up their arses. but... it's the best $10 OS i've ever used!!!!