News

Windows XP Vulnerability Patched

• By Stephen Swoyer
• 11/02/2001

Although XP derives much of its code base from Windows 2000, Microsoft says that Windows 2000 systems are not affected by the bug. The new vulnerability affects the software giant’s Windows 98, Windows 98 Second Edition and Windows Millennium operating systems, as well.

In a security bulletin that it distributed to the members of its security mailing list Thursday night, Microsoft confirmed that an attacker could exploit a bug in its Universal Plug-and-Play (UPnP) service to cause a memory leak on Windows XP systems. UPnP services -– which allow computers to discover and exploit network-based resources -– are integrated natively in Windows XP.

An attacker could exploit the UPnP vulnerability by sending an invalid UPnP request to a Windows XP system. If an attacker sends enough invalid UPnP requests to a vulnerable Windows XP system, Microsoft acknowledged, she could so deplete its resources to cause DOS.

According to the software giant’s security bulletin rating system, the new UPnP vulnerability merits a “low” risk -- as a client system only -- for all affected platforms. Microsoft notes that Windows 98 and Windows 98 SE don’t natively incorporate UPnP functionality (it’s enabled only when the Windows XP Internet Connection Sharing client is installed); that Windows Millennium includes UPnP, but doesn’t have it enabled by default; and that XP’s Internet Connection Firewall would prevent an attacker from exploiting the UPnP vulnerability. Microsoft cautions that UPnP is enabled by default on Windows XP systems.

Moreover, the software giant says that if an IT organization has observed standard firewalling practice and blocked access to all non-essential ports – specifically, it says, to ports 1900 and 5000 – its networks will probably be protected from attack from without.

Microsoft says that because Windows NT 4.0 and Windows 2000 don’t include a native UPnP implementation, neither is affected by the vulnerability.