September 27, 2002
Window Manager, Brian Livingston
SP1: gangs of fun
I'VE REPORTED on patches OVER the past five weeks, especially the latest service packs for Windows 2000 and XP, which contain new license language. SP3 for Windows 2000 gives Microsoft the right to issue fixes "that will be automatically downloaded to your computer." SP1 for XP had the same language during beta testing, but the final text now says SP1 will install "technological measures that are designed to prevent unlicensed use."
It's these new "measures" in XP SP1 that we'll scrutinize in this and upcoming columns.
Horrid Help. First, I have to warn you about a serious security weakness that affects every XP installation. This problem allows a malicious person to erase all the files in an entire Windows XP folder -- such as 0C:\Windows -- merely by sending victims an e-mail, no attachment required.
I'm choosing not to say exactly how to do this. But the gist is that Microsoft has created a new protocol it calls hcp:// for the Help and Support Center introduced in XP. This protocol can be initiated by a Web page or an e-mail. Help then runs with elevated privileges, to devastating effect.
This hole is closed if you install SP1. But many people aren't embracing SP1 because it involves a 30MB to 140MB download and has a bad reputation due to its many quirks (more on them later).
Although Microsoft has known of the Help flaw at least since June, "for inscrutable reasons they chose not to proactively act to close the hole before SP1," says white-hat hacker Steve Gibson.
As a result, Gibson has posted an explanation and a small 30KB utility called XPdite at http://www.grc.com/xpdite/xpdite.htm. This utility tests for and patches only vulnerable XP systems. XPdite can be inserted by system admins into corporate log-on sequences to fix all their XP machines.
You break it, you bought it. Those quirks I mentioned above include the fact that installing SP1 breaks a surprising number of things. For instance, reader John Galus found that running SP1 shuts down the "multiple identity" feature of Outlook Express. Microsoft has confirmed this and offers a workaround at http://support.microsoft.com/default.aspx?scid=kb;en-us;Q329084.
Bruce Kratofil, my Windows 2000 Secrets co-author, notes that two dozen SP1 installation issues are already documented at http://support.microsoft.com/default.aspx?scid=kb;en-us;Q324722. He warns, "There could be a whole lot of grief if this stuff gets automatically updated without you knowing about the issues ahead of time."
Key to the future. That brings us to the new technological measures SP1 adds to automatic updates of XP. In a nutshell, your numeric "product key" is now sent back to Microsoft via the Internet when XP's Product Activation is run with SP1 present. If a corporate product key was used to illegally install a copy of XP, a download of SP1 will refuse to run. Most interesting, Microsoft will be able to ban certain keys in the future, which could prevent updates and/or activations.
We'll look at the implications of that next week.