PDA

View Full Version : XP Help Center request wipes out HD..

Paul Wilders
September 13th, 2002, 04:03 AM
A malicious Win-XP Help Center request can easily and silently delete the contents of any directory on your Windows machine. Worse, MS has rolled the fix silently into SP1 without making a public announcement. A good sketch of the problem in English, along with a harmless self-test, can be found here (http://24.78.2.184/helpcenter.htm), thanks to Mike at http://unity.skankhouse.org, who did some tinkering after noticing a tip on a BBS.

Another, slightly earlier, mention comes from VSAntivirus, but the page, unfortunately, is en español, though there are some handy screen shots in their bulletin.

more.. (http://www.theregister.co.uk/content/55/27074.html)
Checkout
September 13th, 2002, 04:16 AM
I wonder how M$ can possibly fix all their outstanding security/privacy problems when they themselves create them faster than they can fix 'em.
Paul Wilders
September 13th, 2002, 04:39 AM
Gibson does offer (some sort of) solution in this context. Have a look at here (http://grc.com/default.htm).

Most probably, a manual registry hack will make this exploit useless, without the need of installing SP1:

- Open Regedit
- Delete HKEY_CLASSES_ROOT\hcp
- Close Regedit

note: this could affect the Help & Support Center

Still pending...

regards.

paul
Vampirefo
September 13th, 2002, 05:46 AM
Looks like Gibson has created a program, that replaces one file, and this closes the hole. http://grc.com/xpdite/xpdite.htm
Checkout
September 13th, 2002, 05:59 AM
Vampirefo...Security Expert? Surely not the same guy who tried to spread molten lava all over DCS a while ago?

Confused. ???
Paul Wilders
September 13th, 2002, 06:15 AM
-{ Quote: " quoting: Checkout link=board=18;threadid=3632;start=0#24394 date=1031911168]
Vampirefo...Security Expert? Surely not the same guy who tried to spread molten lava all over DCS a while ago?

Confused. ???
" }-

Yep. All settled and in the past now. And as for the title: one can hardly deny Vamperifo's skills ;)

regards.

paul
Checkout
September 13th, 2002, 06:49 AM
Hmm...a remarkable change of writing style. I always suspsected there was more there than met the eye! :)
MickeyTheMan
September 14th, 2002, 08:12 PM
-{ Quote: " quoting: Forum Admin link=board=18;threadid=3632;start=0#24397 date=1031912101]
-{ Quote: " quoting: Checkout link=board=18;threadid=3632;start=0#24394 date=1031911168]
Vampirefo...Security Expert? Surely not the same guy who tried to spread molten lava all over DCS a while ago?

Confused. ???
" }-

Yep. All settled and in the past now. And as for the title: one can hardly deny Vamperifo's skills ;)

regards.

paul
" }-
Agreed . One's opinion don't make him/her less competent because of not being in agreement with you.