Windows XP: XPect Hassles

Microsoft fixes some glitches--including biggies--in its new operating system.

Stuart J. Johnston

Thinking about getting Windows XP? Maybe you should wait until the dust settles. My e-mail in-box has been flooded with reports of bad "XPeriences" with the new operating system (see our news story for more details on XP's specific problems).

One serious snag: If you purchased a new PC with Windows XP preinstalled, and you subsequently reinstall, repair, or upgrade XP, Microsoft says that you may lose some important files and settings, including files you store in XP's Shared Documents folder. This bug does not affect users who upgrade to XP from another OS.

Microsoft issued a patch to fix the problem. Unfortunately, the fix cannot retrieve your lost data and settings--another good argument for frequent backups. Download the patch or go to Windows Update to grab XP's Critical Updates.

XP Security Threats

What else is wrong with Windows XP? This: It allows crackers to get access to your computer through the Universal Plug and Play feature.

Universal Plug and Play is an extension of the Plug and Play system that has been around for years. Plug and Play is meant to let you automatically use devices connected to your computer--like printers and scanners--without having to futz around with installation disks and device drivers. Universal Plug and Play allows your machine to find and use devices connected anywhere on a network.

However, a pair of flaws in the way that Universal Plug and Play "discovers" devices could enable a bad guy to crash your system, or even take complete control of it.

Devices compatible with Universal Plug and Play send out messages, called notifications, to tell XP that they're available for use. A hacker bent on sabotaging your PC could send you a message that is designed to look like a genuine notification. In reality, though, the false message would contain too much data, causing Universal Plug and Play to overflow. The malevolent hacker could then run code that circumvents XP's security protections.

A second hole also involves bogus Universal Plug and Play notifications sent over the Net, but is less serious. However, it could also affect Windows Me users if they have enabled Universal Plug and Play. (Windows 98 users would be affected only if they have installed the Windows XP version of Internet Connection Sharing.)

Legitimate Universal Plug and Play notifications sometimes contain the URL of a server where Windows can find information that lets the OS use the device. A fake notification could contain a URL that sends Windows too much information. Fortunately, this hack would only cause your computer to slow drastically or crash. Microsoft's patch takes care of both problems. Visit Windows Update or download the patch.

Stuart J. Johnston is a contributing editor for PC World.

Bugged?

Found a hardware or software bug? Tell us about it via e-mail at bugs@pcworld.com.

In Brief

IE Security Flaws

Microsoft has posted a cumulative patch for Internet Explorer that fixes all known security holes in IE 5.5 and 6.0, three of which were only recently discovered. Get this patch.

Romantic Worm

Watch out for W32.Gokar @MM. This worm is suave and comes with subject lines like "Just one kiss will make it better." The worm won't damage your PC, but it will mail itself to everyone in your address book. Go to McAfee's removal advice or check out Symantec's instructions.

Beware BadTrans

A known worm is back in a new variation, and I've received dozens of infected e-mails from readers. Dubbed W32.BadTrans.B@MM, the worm not only e-mails itself to your friends, but also records your passwords and forwards them to the hacker. See Symantec's removal information, or see McAfee's set of instructions.