Windows XP Security Hole Gets FBI's Attention

The Federal Bureau of Investigation's National Infrastructure Protection Center issued its own warning about the vulnerability in the Universal Plug and Play (UPnP) service in Windows XP.

Meanwhile, the existence of the vulnerability prompted a team of analysts with Gartner to warn IT against deploying Windows XP for 3-6 months.

Microsoft Corp. delivered a security bulletin and patch about the vulnerability last week, giving it a "critical" rating on its new vulnerability rating system.

The UPnP service identifies and uses network-based devices. A buffer overflow vulnerability could give attackers the ability to execute code on compromised computers, while a separate vulnerability could allow for a distributed denial of service attack.

It affects Windows XP primarily, but is also an option in Windows Me, Windows 98 and Windows 98 Second Edition.

The NIPC normally doesn't reissue private sector warnings, but deemed this one important enough to follow up with its own warning.

"The NIPC conducted technical discussions with Microsoft Corp. and other partners in the Internet and information security community to identify software and procedure practices to minimize the risk from this vulnerability," the NIPC said in its advisory.

For IT administrators, the NIPC recommends downloading and installing Microsoft's patch, monitoring and blocking ports 1900 and 5000 and changing the UPnP service settings to "Disable" instead of the "Manual" default. The NIPC later removed those recommendations in an updated bulletin. (See story).

The Gartner analysts said the UPnP vulnerability, combined with a recent set of vulnerabilities discovered in Internet Explorer 6.0, means Windows XP may not be ready for widespread use. "Enterprises considering a move to Windows XP should wait to see if more security vulnerabilities are found in the operating system during the next three to six months," the analysts wrote.

Gartner also noted that the UPnP vulnerability validates the firm's view that Microsoft's Secure Windows Initiative was limited to its server operating systems. "Discovery of such a serious buffer overflow vulnerability in Windows XP software shows that Microsoft must significantly increase management attention to security, and focus on improving its software development and testing process," the analysts said.

Microsoft shipped Windows XP in October. The client operating system replaces both Microsoft's consumer and business client operating systems. An independent market tracking firm says Microsoft has shipped about 650,000 retail copies of XP, although Microsoft says it has sold about 7 million copies when counting copies of the OS that go out with new systems.

About the Author

Scott Bekker is editor in chief of Redmond Channel Partner magazine.


  • Microsoft Starting To Roll Out New Excel Connected Data Types

    Microsoft on Thursday announced some Excel and Power BI enhancements that add "connected data types" on top of the standard strings and numbers options.

  • Windows 10 Users Getting New Process for Finding Optional Driver Updates

    Accessing Windows 10 drivers classified as "optional updates" will be more of a manual seek-and-install type of experience, starting on Nov. 5, 2020, Microsoft explained in a Wednesday announcement.

  • Microsoft Changes Privacy Platform Name to SmartNoise

    Microsoft Research has changed the name of its "differential privacy" platform from "WhiteNoise" to "SmartNoise," according to a Wednesday announcement.

  • Why Restarting a Failed SCVMM Job Might Be a Bad Idea

    Occasionally, restarting a failed System Center Virtual Machine Manager job can leave your virtualization infrastructure in an unknown state. Here's how to avoid that.

comments powered by Disqus