Windows XP Security Hole Gets FBI's Attention

The Federal Bureau of Investigation's National Infrastructure Protection Center issued its own warning about the vulnerability in the Universal Plug and Play (UPnP) service in Windows XP.

Meanwhile, the existence of the vulnerability prompted a team of analysts with Gartner to warn IT against deploying Windows XP for 3-6 months.

Microsoft Corp. delivered a security bulletin and patch about the vulnerability last week, giving it a "critical" rating on its new vulnerability rating system.

The UPnP service identifies and uses network-based devices. A buffer overflow vulnerability could give attackers the ability to execute code on compromised computers, while a separate vulnerability could allow for a distributed denial of service attack.

It affects Windows XP primarily, but is also an option in Windows Me, Windows 98 and Windows 98 Second Edition.

The NIPC normally doesn't reissue private sector warnings, but deemed this one important enough to follow up with its own warning.

"The NIPC conducted technical discussions with Microsoft Corp. and other partners in the Internet and information security community to identify software and procedure practices to minimize the risk from this vulnerability," the NIPC said in its advisory.

For IT administrators, the NIPC recommends downloading and installing Microsoft's patch, monitoring and blocking ports 1900 and 5000 and changing the UPnP service settings to "Disable" instead of the "Manual" default. The NIPC later removed those recommendations in an updated bulletin. (See story).

The Gartner analysts said the UPnP vulnerability, combined with a recent set of vulnerabilities discovered in Internet Explorer 6.0, means Windows XP may not be ready for widespread use. "Enterprises considering a move to Windows XP should wait to see if more security vulnerabilities are found in the operating system during the next three to six months," the analysts wrote.

Gartner also noted that the UPnP vulnerability validates the firm's view that Microsoft's Secure Windows Initiative was limited to its server operating systems. "Discovery of such a serious buffer overflow vulnerability in Windows XP software shows that Microsoft must significantly increase management attention to security, and focus on improving its software development and testing process," the analysts said.

Microsoft shipped Windows XP in October. The client operating system replaces both Microsoft's consumer and business client operating systems. An independent market tracking firm says Microsoft has shipped about 650,000 retail copies of XP, although Microsoft says it has sold about 7 million copies when counting copies of the OS that go out with new systems.

About the Author

Scott Bekker is editor in chief of Redmond Channel Partner magazine.


  • Azure Backup for SQL Server Now Commercially Available

    Microsoft on Monday announced that Azure Backup for SQL Server had reached "general availability" status, meaning it's deemed ready for production-environment use.

  • Insights for MyAnalytics Getting Switched On for Office 365 Users This Month

    Microsoft is planning to activate "Insights for MyAnalytics" sometime late this month for most Office 365 users, but the ability of organizations to manage this feature won't be available until possibly mid-May.

  • SharePoint Framework 1.8 Now Generally Available

    Microsoft this week announced that SharePoint Framework 1.8 had reached "general availability" status, although some features are still at the preview stage.

  • How To Create Office 365 User Accounts in Bulk

    Manual account creation can be tedious, time-consuming and prone to human error, especially if you have more than a handful of Office 365 users to set up. Brien shows you a better way.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.