Windows XP Security Hole Gets FBI's Attention

The Federal Bureau of Investigation's National Infrastructure Protection Center issued its own warning about the vulnerability in the Universal Plug and Play (UPnP) service in Windows XP.

Meanwhile, the existence of the vulnerability prompted a team of analysts with Gartner to warn IT against deploying Windows XP for 3-6 months.

Microsoft Corp. delivered a security bulletin and patch about the vulnerability last week, giving it a "critical" rating on its new vulnerability rating system.

The UPnP service identifies and uses network-based devices. A buffer overflow vulnerability could give attackers the ability to execute code on compromised computers, while a separate vulnerability could allow for a distributed denial of service attack.

It affects Windows XP primarily, but is also an option in Windows Me, Windows 98 and Windows 98 Second Edition.

The NIPC normally doesn't reissue private sector warnings, but deemed this one important enough to follow up with its own warning.

"The NIPC conducted technical discussions with Microsoft Corp. and other partners in the Internet and information security community to identify software and procedure practices to minimize the risk from this vulnerability," the NIPC said in its advisory.

For IT administrators, the NIPC recommends downloading and installing Microsoft's patch, monitoring and blocking ports 1900 and 5000 and changing the UPnP service settings to "Disable" instead of the "Manual" default. The NIPC later removed those recommendations in an updated bulletin. (See story).

The Gartner analysts said the UPnP vulnerability, combined with a recent set of vulnerabilities discovered in Internet Explorer 6.0, means Windows XP may not be ready for widespread use. "Enterprises considering a move to Windows XP should wait to see if more security vulnerabilities are found in the operating system during the next three to six months," the analysts wrote.

Gartner also noted that the UPnP vulnerability validates the firm's view that Microsoft's Secure Windows Initiative was limited to its server operating systems. "Discovery of such a serious buffer overflow vulnerability in Windows XP software shows that Microsoft must significantly increase management attention to security, and focus on improving its software development and testing process," the analysts said.

Microsoft shipped Windows XP in October. The client operating system replaces both Microsoft's consumer and business client operating systems. An independent market tracking firm says Microsoft has shipped about 650,000 retail copies of XP, although Microsoft says it has sold about 7 million copies when counting copies of the OS that go out with new systems.

About the Author

Scott Bekker is editor in chief of Redmond Channel Partner magazine.


  • Microsoft Releases Windows 10 Version 1909

    Microsoft on Tuesday announced the release of Windows 10 version 1909, a new operating system product that's also known as the "Windows 10 November 2019 Update."

  • November Microsoft Security Bundle Addresses 75 Vulnerabilities

    Of that number, 13 vulnerabilities are rated "Critical" to patch, while 62 vulnerabilities are deemed "Important."

  • The Future of Office 365 Pricing

    With a raft of new Office 365 features in the pipeline, Microsoft also seems ready to change the way it bills its subscribers. Will it replicate Azure's pay-per-use model, or will it look like something else entirely?

  • Microsoft Offers 1 Year of Free Windows 7 Extended Security Updates to E5 Licensees

    Microsoft is offering one year of free support under its Extended Security Updates program to Windows 7 users if their organizations have E5 licensing.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.