|
Click any of the images above for a full size view.
| File stats for: XPdite |  |
|
|
Last Updated:
Size: 30k |
Sep 17, 2002 at 09:22
(3,803.56 days ago) |
Downloads/day: 10
Total downloads: 1,126,951 |
Current Rank: 17
Historical Rank: 8 |
| |
|
What is going on?
Ever since its original release, Windows XP has contained a critical flaw that could be trivially exploited at any time by any malicious hacker. By causing any Windows XP system to process a specially-formed URL (web-style link), the XP system would obediently delete all or most of the files within any specified directory. (That's not good.)
This flaw is considered critical because these malicious URLs could be delivered to any XP user through any means: via an eMail solicitation, a chat room, a newsgroup posting, a malicious web page, or even processed automatically without the user clicking anything by merely visiting a malicious web page. (That's bad.)
Microsoft was informed of this easily-demonstrated, quite significant, and easily fixed Windows XP defect back in June of 2002. But they chose not to proactively address the significant vulnerability created for their users until the September 9th, 2002, release of Windows XP's first service pack.
Since Windows XP Service Pack 1 repairs many more security, stability, and compatibility problems than just this critical exploit, XPdite should not be considered a replacement for the installation of the whole Service Pack 1. However, reports are that XPdite is much safer to use than Service Pack 1 (see Service Pack 1 caution below) so it may be wise to approach the installation of Service Pack 1 with some caution.
Since the immediate installation of the huge Service Pack 1 may not be feasible for all Windows XP users, or because its installation may cause serious side-effects, and since this vulnerability is so trivially exploited and creates a significant risk to all Windows XP users, I wrote this tiny, quickly and easily downloaded vulnerability patch utility which can be used to instantly patch and secure any Windows XP system against this vulnerability.
The story continues . . .
Microsoft's original response to people (myself vocally among them) suggesting that they should offer a separate patch for this vulnerability was:
| "Others have suggested that Microsoft should have released a patch in addition to including the fix in Service Pack 1. We did consider this as an option when we investigated the report. However, because of architectural details associated with Help and Support Center, building a patch for this particular issue would have required significant technology development." |
This assertion by Microsoft was called into question by the fact that I wrote XPdite in half a day. XPdite completely cures this vulnerability and protects XP users from its exploitation. I didn't develop any "significant technology" to do it — I just changed one insecurely designed file. That's all Microsoft had to do if they had wanted to.
What may have really happened . . .
I believe that someone at Microsoft was probably too busy dealing with the many demands they face, and they simply screwed up. Despite the crushing responsibility they carry, they're only human. If we assume that this was simply an oversight, at this point liability concerns probably prevent them from admitting that they goofed. They may know this internally, but we'll never know whether they know, which makes trusting them just a little bit more difficult today than it was yesterday — especially if this original decision was deliberate.
The take away-lesson from this is: We need to watch our own backs. Microsoft will do what it can, but that won't be enough. And when asked afterward what happened, they won't be able to tell us the truth.
One month later . . .
Presumably due to pressure put on Microsoft by my creation of XPdite, which demonstrated for the entire world how easily this serious vulnerability could actually be fixed, coupled with all of the serious problems being experienced after XP's Service Pack 1 was installed, Microsoft officially reversed their earlier position and released a separate security patch to address this problem:
~ NEWS FROM MICROSOFT ~
Microsoft gets a clue: A little more than one month after the release of Service Pack 1 — and after more than 180,000 downloads of our 30 kbyte "XPdite" exploit patcher — Microsoft has apparently seen the light. Microsoft's Security Bulletin MS02-060 discusses this problem and provides a link to their own 1.35 megabyte patch for this problem.
Microsoft explains: "... we initially planned to deliver the fix for this issue only via Service Pack 1, but subsequently made the decision to also make it available as a patch. Although there were sound reasons for the original decision, we reconsidered based on feedback from our customers, who in some cases advised that they had not yet found sufficient time to deploy Service Pack 1."
So, please be advised that you now have a second alternative to the use of our 30 kbyte XPdite utility: You may download and apply Microsoft's official 1.35 megabyte patch. |
|
And, just to take this vulnerability out of the realm of theory . . .
~ EXPLOIT UPDATE ~
As feared and expected, just five days after the release of Service Pack 1, and the publication of this vulnerability's details by irresponsible web journalists, instances of malicious URLs for deleting all files from user directories started appearing on the Internet.
PLEASE be sure to inform your friends and associates who are using XP about the need to either update to Service Pack 1, or quickly run XPdite on their systems. |
|
What should you do?
Today, you have three choices:
As 1,126,951 people already have, you may quickly download and run the 30k XPdite program on your Windows XP system. it will instantly eliminate this critical vulnerability. XPdite only needs to be run once to secure your system from this trouble, after which if can be deleted from the system. In fact, if you right-click on the XPdite link and choose 'Open' or 'Run', you can run it without even installing it in your system.
Or you can choose to download Microsoft's official 1.35 megabyte patch to deal with this vulnerability. I have no idea what you get for 1.35 megabytes, so I can not, and do not, recommend or vouch for it, but I can't imagine that it might wreck anyone's system the way Service Pack 1 can. The patch will fit on a blank 1.44 megabyte diskette, so it's feasible to carry it around if you have more than one XP system in need of patching.
(Please see the green "News From Microsoft" box above for the relevant links.)
And, of course, you can bite the bullet, hold your breath (for a long time) and download the Windows XP Service Pack 1.
However, now that Microsoft has addressed this vulnerability with their own patch, Service Pack 1 should not be applied merely as a remedy for this trouble. Given the troubles which have been caused by Service Pack 1, if you do not wish to use XPdite, you should probably use Microsoft's own patch. Perhaps at some point they'll release a service pack for the service pack.
Using XPdite
XPdite only needs to be run once on any Windows XP system. The system will subsequently be protected from this vulnerability.
Simply download and run the 30 kbyte XPdite utility. That's all there is to it. As you can see in the screen-shots above, XPdite will display the current condition of your system and, if necessary, provide the option of updating one crucial file to instantly eliminate future danger. You may then either keep XPdite around for periodic (but probably unnecessary) check-ups, or to provide to your friends and associates.
Whatever you do, PLEASE pass the word to everyone you know who is also using Windows XP. We have no reports yet of any actual exploitation of this critical defect, but now that news of this vulnerability is widespread, the entire security industry will be surprised if such reports do not begin surfacing shortly.
TechTV's Leo Laporte Demonstrates the Vulnerability
On the day of Service Pack 1's official release, Monday, September 9th, TechTV's Leo Laporte walked his audience though a demonstration of this vulnerability. You may find this nine and a half minute clip useful and informative:
| | Leo Laporte demonstrates this
serious Windows XP vulnerability |
Attention: Corporate IT Managers
XPdite may easily be run silently across your entire network.
Thanks to your feedback and requests for a silent logon-scriptable feature in my earlier UnPnP utility, XPdite already includes it.
Running XPdite with the command-line option "runsilent" will cause XPdite to silently execute. Since XPdite thoroughly examines the environment it's running within, it may be ubiquitously deployed across a heterogeneous corporate computing environment without ill effect.
XPdite will ONLY do what it is supposed to do when it is needed.
XPdite Questions and Answers
| | Can Service Pack 1 be installed after running XPdite?
Do XPdite's changes need to be "undone" first?
Service Pack 1 can simply be installed after XPdite has been used on a system without taking any special steps. XPdite's changes are completely compatible with Service Pack 1. |
| | XPdite reports that an "Unknown File is Present." Is this any cause for concern, and what might be causing this report?
Prior to version 1.1, XPdite was performing a simple "sanity check" on the existing file by checking the file's length. Since non-English versions of the file will be different lengths, this was only useful for English language versions of Windows XP. XPdite version 1.1 added language-independent recognition of the file, eliminating these reports on non-English systems. |
| | After I installed Service Pack 1 on a non-English Windows XP system, XPdite says "Unknown File is Present." What might be causing this report?
This will only occur with XPdite prior to version 1.1 on non-English systems. XPdite version 1.1 uses a language-independent approach for identifying the old and new (bad and good) files. |
XPdite, and the XP vulnerability, in the news
| | XP Service Pack Said to Fix Major Flaw — September 10, 2002
by PCWorld.com Staff |
| | Patch Plugs Win XP Hole Without SP1 — September 13, 2002
by Stuart J. Johnston, special to PCWorld.com |
| | Win XP Update Crashes Some PCs — September 20, 2002
by Stuart J. Johnston, special to PCWorld.com |
XPdite Version History
| | Version 1.0 — September 12, 2002
- Initial release. |
| | Version 1.0.1 — September 12, 2002
- A bit of code was added to randomly name the backup file so that the file created during the exploit cure can not itself be exploited. |
| | Version 1.0.2 — September 13, 2002
- Some of the screen presentation text was edited to improve the clarity of the messages.
- Since the Windows XP enterprise .NET server has the same vulnerability, XPdite now also recognizes vulnerabilities there also. |
| | Version 1.0.3 — September 15, 2002
- Awareness of administrative rights was added. XPdite now prompts a non-Admin user to switch to an administrative account when something is in need of fixing. |
| | Version 1.1.0 — September 16, 2002
- XPdite is now language independent. It identifies the old and new (bad and good) files regardless of the Windows XP language. |
| | Version 1.1.1 — September 17, 2002
- Version 1.1.0 was mistakenly released with a developmental "test switch" set, allowing it to be exercised on non-XP systems (since I do not yet use XP). This version corrects that so that the proper message will be delivered in all cases. |
Again: EVERYONE using Windows XP, who has not already installed the huge (30 to 140 megabyte) Service Pack 1 — or Microsoft's subsequent patch for this vulnerability — is at risk of having many files maliciously deleted from their systems. PLEASE SPREAD THE NEWS of this critical Windows XP vulnerability — and this quick and simple solution — to everyone whom you know to be using Windows XP. If you or they have already installed Windows XP Service Pack 1, the problem has already been cured.
Otherwise, this small, quick, and free utility will handle the job easily.
Thank you.
|