News

NIPC Gave Users Wrong Advice on Windows XP Vulnerability

• By Scott Bekker
• 01/07/2002

The vulnerability involved the Universal Plug and Play (UPnP) service that comes with Windows XP and can be installed in Windows 98 and Windows Me.

After being notified by eEye Digital Security of a critical security problem involving UPnP, Microsoft issued a security bulletin to alert users and a patch to fix the problem on Dec. 20. The bug, one of two newly discovered UPnP problems fixed by the patch, could allow an attacker to execute code on a user's machine. The second problem involved a denial of service attack.

The same day, the FBI's NIPC took what for it was the unusual step of piggybacking a vendor's alert, presumably to make sure that a greater number of users heeded the warning.

But after talking to Microsoft about the problem, the NIPC went further, recommending on Dec. 22 additional steps beyond what Microsoft recommended to fix the problem.

In the third version of its bulletin on the topic, NIPC recommended that in addition to downloading the patch, individual users should disable the Universal Plug and Play Device Host service. System administrators, the NIPC continued, should take the further step of blocking ports 1900 and 5000.

But by Jan. 3, cooler heads prevailed. NIPC huddled with the CERT Coordination Center (CERT/CC) to review written materials from Microsoft and backed off on the additional steps.

"Based upon a careful review of the written technical materials provided by Microsoft Corporation and in agreement with CERT Coordination Center (CERT/CC) at Carnegie Mellon University, NIPC recommends that affected users install the Microsoft patch. Although neither NIPC nor CERT/CC has actually laboratory tested the patch, we are satisfied that it corrects the problem that could lead to system compromise and affords substantial and adequate protection from the UPnP vulnerability that could lead to denial of service attacks," the NIPC wrote in its fourth bulletin on the topic.

Simply put, the NIPC's advice had been wrong. The NIPC had told users to disable the wrong service. The Universal Plug and Play Device Host service had nothing to do with the Universal Plug and Play vulnerability.

Microsoft's own third revision of its bulletin, issued Jan. 3, included directions for disabling UPnP if necessary, presumably to clear up confusion about disabling UPnP.

"Despite its name, the UPnP Device Host service is not related in any way to this vulnerability, and there is no need to disable it. The UPnP Device Host service enables other services on Windows XP to advertise themselves as though they were UPnP devices, and isn’t involved in any way with how a system handles actual UPnP devices," Microsoft wrote.

Microsoft noted that disabling should only be done if applying the patch is impractical; the NIPC had recommended that users disable UPnP in addition to applying the patch. If a user decided to disable the service in Windows XP instead of applying the patch, the correct service is the SSDP Discovery Service.

Microsoft also noted that blocking ports 1900 and 5000 is a standard corporate firewalling practice.

The Microsoft bulletin and patch can be found here.