Privacy Expert Roots Out True Origin of “XP Flaw”

Warnings about flaws in Microsoft Corp.’s ubiquitous operating systems and popular software are a dime a dozen these days, which is a bit disconcerting when one considers that the holes themselves can often shut out site access, potentially causing businesses to lose serious dollars.

It was understandable that the software giant’s announcement of a serious operating system weakness caused security experts, research firms and pundits to sit up and take notice last Thursday. Microsoft reported two vulnerabilities that could leave PCs both open to hackers, and at risk of being shut down from a denial-of-service (DoS) attack.

The holes involve the firm’s “Universal Plug and Play” (UPnP) service, software that uses Internet protocols to allow PCs and other devices to discover one another so they can communicate. If exploited, a hacker could take over computers and possibly cripple a network. Microsoft duly issued this patch for the gaps and warned users to disable UPnP when they are not using it.

Trouble is, the UPnP miscue is not endemic to XP, as was widely reported. Moreover, it did not, in fact, begin with the new OS, privacy expert Richard M. Smith told Wednesday. After reading the Microsoft Security Advisory Center’s warning about the flaw, Smith checked his two Windows ME machines and found the UPnP feature turned on, while his XP-loaded machine had it turned off. Curious because he had read some news reports that the UPnP flaw had its origins in XP, Smith poked around an discovered that the flaw was born when UPnP first shipped, which was with ME more than a year and a half ago.

“The more I look at the security problems in the Universal Plug-and-Play
(UPNP) feature of Windows, the more I think it is a big mistake to
characterized them as Windows XP problems. It is entirely possible that
there are more Windows ME (Millennium Edition) users who are vulnerable
to the security hole than XP users. The risk here is that Windows ME
users won’t get the Microsoft patch because they assume the problems are
only for XP given most of the press coverage so far,” said Smith, proprietor of PC technology watchdog site “…. this bug is a Windows ME bug that got passed along to Windows XP,”

To be sure, Microsoft said customers using Windows 98, Windows 98 Second Edition and Windows ME with UPnP should also use the patch.

Whatever the case, research firm Gartner Group commented on the flaw, which it called “plug-and-prey,” and awarded it the high risk mark on its Internet Vulnerability Risk Rating system.

“The plug-and-play vulnerability validates Gartner’s view that Microsoft’s Secure Windows Initiative was limited to the software maker’s server operating systems. Discovery of such a serious buffer overflow vulnerability in Windows XP software shows that Microsoft must significantly increase management attention to security and focus on improving its software development and testing processes,” Gartner said in a research note.

Gartner also said enterprises should sit tight on XP migration for a few months, to wait and see if any other nasty bugs come to light.

Even a government agency is on alert. After Microsoft reported the gaps, the Federal Bureau of Investigation looked into the matter; its National Infrastructure Protection Center (NIPC) urged XP users to disable a feature that could leave computers open to attacks from hackers.

An organization that usually leaves technological security warnings to private sector firms such as CERT, the NIPC apparently held technical discussions with Microsoft Corp. to put a finger on ways to minimize the risk from security holes in XP.

News Around the Web