Windows XP Vulnerability Patched

Microsoft Corp. issued a software hotfix to patch a problem that could render its brand new Windows XP client operating system susceptible to denial-of-service (DOS) attacks. The problem is rated as low risk in Microsoft's new rating system.

Although XP derives much of its code base from Windows 2000, Microsoft says that Windows 2000 systems are not affected by the bug. The new vulnerability affects the software giant’s Windows 98, Windows 98 Second Edition and Windows Millennium operating systems, as well.

In a security bulletin that it distributed to the members of its security mailing list Thursday night, Microsoft confirmed that an attacker could exploit a bug in its Universal Plug-and-Play (UPnP) service to cause a memory leak on Windows XP systems. UPnP services -– which allow computers to discover and exploit network-based resources -– are integrated natively in Windows XP.

An attacker could exploit the UPnP vulnerability by sending an invalid UPnP request to a Windows XP system. If an attacker sends enough invalid UPnP requests to a vulnerable Windows XP system, Microsoft acknowledged, she could so deplete its resources to cause DOS.

According to the software giant’s security bulletin rating system, the new UPnP vulnerability merits a “low” risk -- as a client system only -- for all affected platforms. Microsoft notes that Windows 98 and Windows 98 SE don’t natively incorporate UPnP functionality (it’s enabled only when the Windows XP Internet Connection Sharing client is installed); that Windows Millennium includes UPnP, but doesn’t have it enabled by default; and that XP’s Internet Connection Firewall would prevent an attacker from exploiting the UPnP vulnerability. Microsoft cautions that UPnP is enabled by default on Windows XP systems.

Moreover, the software giant says that if an IT organization has observed standard firewalling practice and blocked access to all non-essential ports – specifically, it says, to ports 1900 and 5000 – its networks will probably be protected from attack from without.

Microsoft says that because Windows NT 4.0 and Windows 2000 don’t include a native UPnP implementation, neither is affected by the vulnerability.

About the Author

Stephen Swoyer is a Nashville, TN-based freelance journalist who writes about technology.


  • Microsoft Bolsters Windows IoT with NXP and SQL Server Support

    Microsoft's Internet of Things (IoT) product line is continuing to grow, with a few new developments highlighted this week.

  • Tamper Protection Now Available to Microsoft Defender ATP Subscribers

    The Microsoft Defender Advanced Threat Protection (ATP) E5 subscription plan now has an optional "tamper protection" security feature, Microsoft announced on Monday.

  • Exploring OCR, a New Way To Get Data into Excel

    Microsoft recently added a new optical character recognition feature to Excel that lets users import data from a photograph taken from a smartphone. Here's how to use it.

  • Microsoft Authenticator App To Get Real-Time Phishing Protections

    Microsoft is working on adding capabilities to its Microsoft Authenticator app to help defeat security breaches enabled by advanced attack techniques, including phishing and man-in-the-middle methods.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.