Windows XP Security Hole Gets FBI's Attention
- By Scott Bekker
- December 27, 2001
The Federal Bureau of Investigation's National Infrastructure Protection Center
issued its own warning about the vulnerability in the Universal Plug and Play (UPnP) service in Windows XP.
Meanwhile, the existence of the vulnerability prompted a team of analysts with Gartner to warn IT against deploying Windows XP for 3-6 months.
Microsoft Corp. delivered a security bulletin and patch about the vulnerability last week, giving it a "critical" rating on its new vulnerability rating system.
The UPnP service identifies and uses network-based devices. A buffer overflow vulnerability could give attackers the ability to execute code on compromised computers, while a separate vulnerability could allow for a distributed denial of service attack.
It affects Windows XP primarily, but is also an option in Windows Me, Windows 98 and Windows 98 Second Edition.
The NIPC normally doesn't reissue private sector warnings, but deemed this one important enough to follow up with its own warning.
"The NIPC conducted technical discussions with Microsoft Corp. and other partners in the Internet and information security community to identify software and procedure practices to minimize the risk from this vulnerability," the NIPC said in its advisory.
For IT administrators, the NIPC recommends downloading and installing Microsoft's patch, monitoring and blocking ports 1900 and 5000 and changing the UPnP service settings to "Disable" instead of the "Manual" default. The NIPC later removed those recommendations in an updated bulletin. (See story).
The Gartner analysts said the UPnP vulnerability, combined with a recent set of vulnerabilities discovered in Internet Explorer 6.0, means Windows XP may not be ready for widespread use. "Enterprises considering a move to Windows XP should wait to see if more security vulnerabilities are found in the operating system during the next three to six months," the analysts wrote.
Gartner also noted that the UPnP vulnerability validates the firm's view that Microsoft's Secure Windows Initiative was limited to its server operating systems. "Discovery of such a serious buffer overflow vulnerability in Windows XP software shows that Microsoft must significantly increase management attention to security, and focus on improving its software development and testing process," the analysts said.
Microsoft shipped Windows XP in October. The client operating system replaces both Microsoft's consumer and business client operating systems. An independent market tracking firm says Microsoft has shipped about 650,000 retail copies of XP, although Microsoft says it has sold about 7 million copies when counting copies of the OS that go out with new systems.
Scott Bekker is editor in chief of Redmond Channel Partner magazine.