Windows XP Vulnerability Patched

Microsoft Corp. issued a software hotfix to patch a problem that could render its brand new Windows XP client operating system susceptible to denial-of-service (DOS) attacks. The problem is rated as low risk in Microsoft's new rating system.

Although XP derives much of its code base from Windows 2000, Microsoft says that Windows 2000 systems are not affected by the bug. The new vulnerability affects the software giant’s Windows 98, Windows 98 Second Edition and Windows Millennium operating systems, as well.

In a security bulletin that it distributed to the members of its security mailing list Thursday night, Microsoft confirmed that an attacker could exploit a bug in its Universal Plug-and-Play (UPnP) service to cause a memory leak on Windows XP systems. UPnP services -– which allow computers to discover and exploit network-based resources -– are integrated natively in Windows XP.

An attacker could exploit the UPnP vulnerability by sending an invalid UPnP request to a Windows XP system. If an attacker sends enough invalid UPnP requests to a vulnerable Windows XP system, Microsoft acknowledged, she could so deplete its resources to cause DOS.

According to the software giant’s security bulletin rating system, the new UPnP vulnerability merits a “low” risk -- as a client system only -- for all affected platforms. Microsoft notes that Windows 98 and Windows 98 SE don’t natively incorporate UPnP functionality (it’s enabled only when the Windows XP Internet Connection Sharing client is installed); that Windows Millennium includes UPnP, but doesn’t have it enabled by default; and that XP’s Internet Connection Firewall would prevent an attacker from exploiting the UPnP vulnerability. Microsoft cautions that UPnP is enabled by default on Windows XP systems.

Moreover, the software giant says that if an IT organization has observed standard firewalling practice and blocked access to all non-essential ports – specifically, it says, to ports 1900 and 5000 – its networks will probably be protected from attack from without.

Microsoft says that because Windows NT 4.0 and Windows 2000 don’t include a native UPnP implementation, neither is affected by the vulnerability.

About the Author

Stephen Swoyer is a Nashville, TN-based freelance journalist who writes about technology.


  • How To Configure Windows 10 for Intel Optane Memory

    Intel's Optane memory technology can significantly improve the performance of your Windows 10 system -- provided you enable it correctly. A single mistake can render the system unbootable. Here's how to do it the right way.

  • Microsoft and SAP Enhance Partnership with Teams Integration

    Microsoft and SAP this week described continuing partnership efforts on Microsoft Azure, while also planning a Microsoft Teams integration with SAP's enterprise resource planning product and other solutions.

  • Blue Squares Graphic

    Microsoft Previews Azure IoT Edge for Linux on Windows

    Microsoft announced a preview of Azure IoT Edge for Linux on Windows, which lets organizations tap Linux virtual machine processes that also work with Windows- and Azure-based processes and services.

  • How To Automate Tasks in Azure SQL Database

    Knowing how to automate tasks in the cloud will make you a more productive DBA. Here are the key concepts to understand about cloud scripting and a rundown of the best tools for automating code in Azure.

comments powered by Disqus