Windows XP Vulnerability Patched

Microsoft Corp. issued a software hotfix to patch a problem that could render its brand new Windows XP client operating system susceptible to denial-of-service (DOS) attacks. The problem is rated as low risk in Microsoft's new rating system.

Although XP derives much of its code base from Windows 2000, Microsoft says that Windows 2000 systems are not affected by the bug. The new vulnerability affects the software giant’s Windows 98, Windows 98 Second Edition and Windows Millennium operating systems, as well.

In a security bulletin that it distributed to the members of its security mailing list Thursday night, Microsoft confirmed that an attacker could exploit a bug in its Universal Plug-and-Play (UPnP) service to cause a memory leak on Windows XP systems. UPnP services -– which allow computers to discover and exploit network-based resources -– are integrated natively in Windows XP.

An attacker could exploit the UPnP vulnerability by sending an invalid UPnP request to a Windows XP system. If an attacker sends enough invalid UPnP requests to a vulnerable Windows XP system, Microsoft acknowledged, she could so deplete its resources to cause DOS.

According to the software giant’s security bulletin rating system, the new UPnP vulnerability merits a “low” risk -- as a client system only -- for all affected platforms. Microsoft notes that Windows 98 and Windows 98 SE don’t natively incorporate UPnP functionality (it’s enabled only when the Windows XP Internet Connection Sharing client is installed); that Windows Millennium includes UPnP, but doesn’t have it enabled by default; and that XP’s Internet Connection Firewall would prevent an attacker from exploiting the UPnP vulnerability. Microsoft cautions that UPnP is enabled by default on Windows XP systems.

Moreover, the software giant says that if an IT organization has observed standard firewalling practice and blocked access to all non-essential ports – specifically, it says, to ports 1900 and 5000 – its networks will probably be protected from attack from without.

Microsoft says that because Windows NT 4.0 and Windows 2000 don’t include a native UPnP implementation, neither is affected by the vulnerability.

About the Author

Stephen Swoyer is a Nashville, TN-based freelance journalist who writes about technology.


  • Spaceflight Training in the Middle of a Pandemic

    Surprisingly, the worldwide COVID-19 lockdown has hardly slowed down the space training process for Brien. In fact, it has accelerated it.

  • Surface and ARM: Why Microsoft Shouldn't Follow Apple's Lead and Dump Intel

    Microsoft's current Surface flagship, the Surface Pro X, already runs on ARM. But as the ill-fated Surface RT showed, going all-in on ARM never did Microsoft many favors.

  • IT Security Isn't Supposed To Be Easy

    Joey explains why it's worth it to endure a little inconvenience for the long-term benefits of a password manager and multifactor authentication.

  • Microsoft Makes It Easier To Self-Provision PCs via Windows Autopilot When VPNs Are Used

    Microsoft announced this week that the Windows Autopilot service used with Microsoft Intune now supports enrolling devices, even in cases where virtual private networks (VPNs) might get in the way.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.