News

NIPC Gave Users Wrong Advice on Windows XP Vulnerability

The FBI's National Infrastructure Protection Center took the unusual step of weighing in on a Microsoft security bulletin over the holiday season, gumming up the process and confusing users.

The vulnerability involved the Universal Plug and Play (UPnP) service that comes with Windows XP and can be installed in Windows 98 and Windows Me.

After being notified by eEye Digital Security of a critical security problem involving UPnP, Microsoft issued a security bulletin to alert users and a patch to fix the problem on Dec. 20. The bug, one of two newly discovered UPnP problems fixed by the patch, could allow an attacker to execute code on a user's machine. The second problem involved a denial of service attack.

The same day, the FBI's NIPC took what for it was the unusual step of piggybacking a vendor's alert, presumably to make sure that a greater number of users heeded the warning.

But after talking to Microsoft about the problem, the NIPC went further, recommending on Dec. 22 additional steps beyond what Microsoft recommended to fix the problem.

In the third version of its bulletin on the topic, NIPC recommended that in addition to downloading the patch, individual users should disable the Universal Plug and Play Device Host service. System administrators, the NIPC continued, should take the further step of blocking ports 1900 and 5000.

But by Jan. 3, cooler heads prevailed. NIPC huddled with the CERT Coordination Center (CERT/CC) to review written materials from Microsoft and backed off on the additional steps.

"Based upon a careful review of the written technical materials provided by Microsoft Corporation and in agreement with CERT Coordination Center (CERT/CC) at Carnegie Mellon University, NIPC recommends that affected users install the Microsoft patch. Although neither NIPC nor CERT/CC has actually laboratory tested the patch, we are satisfied that it corrects the problem that could lead to system compromise and affords substantial and adequate protection from the UPnP vulnerability that could lead to denial of service attacks," the NIPC wrote in its fourth bulletin on the topic.

Simply put, the NIPC's advice had been wrong. The NIPC had told users to disable the wrong service. The Universal Plug and Play Device Host service had nothing to do with the Universal Plug and Play vulnerability.

Microsoft's own third revision of its bulletin, issued Jan. 3, included directions for disabling UPnP if necessary, presumably to clear up confusion about disabling UPnP.

"Despite its name, the UPnP Device Host service is not related in any way to this vulnerability, and there is no need to disable it. The UPnP Device Host service enables other services on Windows XP to advertise themselves as though they were UPnP devices, and isn’t involved in any way with how a system handles actual UPnP devices," Microsoft wrote.

Microsoft noted that disabling should only be done if applying the patch is impractical; the NIPC had recommended that users disable UPnP in addition to applying the patch. If a user decided to disable the service in Windows XP instead of applying the patch, the correct service is the SSDP Discovery Service.

Microsoft also noted that blocking ports 1900 and 5000 is a standard corporate firewalling practice.

The Microsoft bulletin and patch can be found here.

About the Author

Scott Bekker is editor in chief of Redmond Channel Partner magazine.

Featured

  • Microsoft Offers Support Extensions for Exchange 2016 and 2019

    Microsoft has introduced a paid Extended Security Update (ESU) program for on-premises Exchange Server 2016 and 2019, offering a crucial safety cushion as both versions near their Oct. 14, 2025 end-of-support date.

  • An image of planes flying around a globe

    2025 Microsoft Conference Calendar: For Partners, IT Pros and Developers

    Here's your guide to all the IT training sessions, partner meet-ups and annual Microsoft conferences you won't want to miss.

  • Notebook

    Microsoft Centers AI, Security and Partner Dogfooding at MCAPS

    Microsoft's second annual MCAPS for Partners event took place Tuesday, delivering a volley of updates and directives for its partners for fiscal 2026.

  • Microsoft Layoffs: AI Is the Obvious Elephant in the Room

    As Microsoft doubles down on an $80 billion bet on AI this fiscal year, its workforce reductions are drawing scrutiny over whether AI's ascent is quietly reshaping its human capital strategy, even as official messaging avoids drawing a direct line.