Windows Security Bulletin

SECURITY ALERT: If you use Windows XP your system is vulnerable to a very simple attack that could let any hacker delete all the files in any directory by embedding a short invisible command in a web page or HTML email. I've demonstrated the attack on The Screen Savers and it's incredibly easy to implement and totally destructive. It's one of the most serious security flaws I've ever seen.

Microsoft has remained completely silent on this, even though they've apparently known about it for 11 weeks. The potential for harm is so great that they and the entire computer security establishment have kept the hole a secret. It's called "security through obscurity" and, in my opinion, it's the worst possible way to protect your system.

The short term fix is to delete or rename a file on your system named c:windowsPCHEALTHHELPCTRSystemDFSuplddrvinfo.htm. A better long term solution is to install the Windows XP Service Pack which Microsoft made available yesterday. It's a fairly big download, over 50 megs on my fully updated system, but it presumably fixes other security flaws we don't know about.

Steve Gibson has written about this flaw and it was the subject of a security bulletin on Bugtraq.

This is one more reason I'm no longer recommending Windows machines to my family and friends. Microsoft's security model is so severely flawed that I believe it's impossible for them to make a secure version of the OS. Use Mac OS X instead. It's not perfect, either, but it's much less susceptible to this sort of thing.

And if you use XP, please run Windows Update and install SP-1 as soon as possible. Now that the word's out I expect to see this exploit all over the place.