Uplddrvinfo.htm security risk

Uplddrvinfo.htm Contains JScript Code That Might Permit a Malicious User to Delete Files - Q328940 just released yesterday. Note: this is a normal windows file and should be in windows\pchealth\helpctr\system\dfs.

Per M$, fixed by SP1. If for some reason you aren't getting the SP for a while, probably a good idea to not use the file until they get a seperate patch for it. Rename to Uplddrvinfo.htm.old maybe.

 

I think the intent may have been to use this scare tactic to encourage everyone to download sp1 right away. We have yet to find out what lurks therein.

I didn't notice anywhere in the KB where they recommended any alternate method (renaming file) so it speaks for itself.

 

I think they just want to scare everyone with pirated copies of WinXP so they purchase a LEGAL copy or C.D. Key to upgrade, BEFORE SP1 gets hacked too.

That probably already happened as we read this forum, or it's about to happen, but anyway, could be translated into a massive income to M.$. Anyway, going to rename that file as I write... (no SP1 for me yet, just on a 33.6 Kbps dial-up connection )

 

...I heard yesterday from a buddy who experienced this bug firsthand...

A total re-install was his only recourse...

Steve Gibson has a quick-fix on his site, for users who don't have SP1 yet -

http://grc.com/xpdite/xpdite.htm

 

I have experimented with just updating the one file, Uplddrvinfo.htm, and that's all that's necessary to avert this security threat and still have full functionality of the driver assistance service. That's curious and makes you wonder why they didn't offer the new version of that file sooner instead of hiding it inside the SP1, which is where I plucked it from. I saved a copy before ditching the SP1.

The renaming of the existing Uplddrvinfo.htm file will also avert the issue but you will lose the driver assist feature, not that it's any big loss.

Here's a couple good reads about this little problem:

http://www.jmu.edu/computing/security/info/xphelp.shtml

http://www.theregus.com/content/4/26272.html

 

Is that a misprint (dldrvinfo.htm) or is this a second file that needs attention (as opposed to Uplddrvinfo.htm)???

Is there an easy way to get just the one file?

 

Thanks Rich

That was a mistake! I had the entire path on my clipboard and edited a little too much.

I don't know of any easy way to get just that one file without getting the whole nine yard package. I was going to publish the contents, since it's essentially a text file. When I compared the differences, I quickly saw that it wouldn't be practical, lots of changes. I even tried pasting the contents into a post but the line wrap corrupted it too much for normal usage.

I'm sure someone will offer it up on their site pretty soon.

Thanks again.

 

Zephyr -

I am curious about that...My friend installed WinXP, and added the 133MB SP1 upgrade, and he reports there is *no* Uplddrvinfo.htm file on his new install...

I wonder if Uplddrvinfo.htm was part of a "critical update" that was added after the initial release of WinXP Build 2600???

I've just renamed my file for now...

 

The complete path is;

C:\WINDOWS\PCHEALTH\HELPCTR\System\DFS\uplddrvinfo.htm

The original was 31.7 KB dated 6 Nov 2001 while the new version is 32.2 KB dated 10 Sep 2002. I can't imagine why your friend doesn't find it on his drive. It's not a hidden or System file so a typical search using even XP's "Greatly lamed" Find feature should turn it up.

I actually have the renamed file plus the new one; I downloaded the SP1 after I had performed the rename.

 

Yup; that's where mine was, too (WinXP Pro).

I have most critical updates, but on the advice of many more knowledgeable than me (Arie for one!), I'm going to wait a bit before applying SP1...

 

Well, my curiosity got the better of me...

...And since I had DriveImage 2002 sitting here...

I returned my Uplddrvinfo.htm back to its rightful name, and imaged my XP HDD and then installed SP1...

And I now also have the new Uplddrvinfo.htm file, 32.2KB, 10 Sept 2002...

So, I'm at a loss as to what happened to my friend...But I did inform him of my upgrade...

 

The inevitable has happened. You can now get the new version of this file without installing the SP1 and have protection and functionality while waiting for the SP to get the bugs cleared.

It available here for free download. The program will rename your old file and install the "Good" one in the proper directory.

It will not adversely affect any subsequent install of SP1.

 

...Uh, yeah...

That was my original reply to this thread...

 

Rich B.

I wonder why that wasn't spelled out in the information on his site? I didn't see anywhere that it said the new file would be supplied. It initially just said the old one would be renamed to a random name that couldn't be exploited. Now when I re-read the page again today, it actually says it "updates" the file. Hmmm..

The person that informed me was someone who had used the fix and found out it actually supplied the new version. That revelation took place when attempting to install a copy of the new version that I had mailed to them. The message came up saying the file was the same size/date as the one already on the drive.

Perhaps it didn't work that way at the outset and the file was added later. It didn't say that in the revisions though.

Oh well, all's well that has apparently ended well. Or has it.

Thanks
edit: I just renamed my MS SP1 supplied version of Uplddrvinfo.htm and ran the XPdite utility to get their version. Then I did a File Compare in command mode. It shows to be identical so I trust it now.

 

You're probably right about Gibson revising his patch. I did get the first one when it was announced, I think I'll take a look and get the latest one, too.

I'm not at all happy with Microsofts' take on this...

"We concluded that the best way to deliver the fix was via [SP1]. This is in keeping with our long-held conviction that service packs--not patches--are the delivery vehicle of choice for security fixes," says a Microsoft statement posted this week. A Microsoft spokesperson verified the company will not release a separate security patch for that specific bug. (PCWorld)

I imaged my drive and installed SP1...But I'm restoring my pre-SP1 image...

I don't like Microsofts insistance on SP1, and I don't trust them one bit.

I fully expect to see more revelations about hidden issues with SP1.

 

I agree. I think MS is evoking semantics to the extent that they would like to distance themselves from the connotations that the word patch has and use the more desirable term service pack. We all know the service pack is in reality a grouping of patches. They can call it whatever they like, it's still gonna smell the same.

I'm still hangin' with my "Gibsonized" system until the smoke clears and all the gremlins are exposed on SP1. I fully realize that it will eventually be necessary to do battle with it since MS will require it in order to get subsequent updates. Still......waiting is prudent.

Thanks.