After speaking with Microsoft officials, the National Infrastructure Protection Center (NIPC), an arm of the Federal Bureau of Investigation (FBI), issued an advisory late last week regarding the Universal Plug and Play (UPnP) vulnerability in Windows XP. The advisory details the problem, explains what the UPnP subsystem in Windows XP does, and recommends that users download and install the patch Microsoft has already provided. However, the NIPC also recommends that users disable the UPnP service, while system administrators are asked to monitor certain network traffic. Microsoft says that no further action is needed after the latest patch is installed.
"The patch is effective," said Steve Lipner, Microsoft's director of security assurance.
UPnP is a service that allows newer network devices, such as next generation residential gateways to be automatically detected and polled over a network, much in the way that local Plug and Play (PnP) hardware is detected and installed when plugged into a PC. Microsoft has been banking on UPnP for a long time, and though Windows Me included the service, no UPnP devices ever shipped during that product's lifetime. With Windows XP, however, Microsoft has worked with a variety of third party hardware makers to ensure that UPnP devices become available. Many of these were due to ship by the time XP launched in October, but none have, to this day, yet shipped. I've spoken with these companies--which include Linksys, D-Link and others, and have been told to expect the first generation of UPnP devices in early 2002.
Another interesting thing about this vulnerability is the irresponsible way it was reported by various entities in the media. My stance on Microsoft's ability to secure its products has never really changed, though the company has been talking up security for the past year: It simply doesn't do enough to make security a priority. But in this instance, Microsoft and the company that first detected the vulnerability did the right thing. Instead of popularizing the problem so that hackers could learn how to exploit Windows, as they've done in the past, the youngsters that found the UPnP vulnerability chose to work with Microsoft and make sure a fix was available before any announcement was made. That way, virtually every XP customer was already protected--through XP's Auto Update feature--or had the information they needed to protect themselves before any information about the vulnerability when public.
But tell that to the media. Instead of lauding Microsoft for providing an automatic mechanism for fixing such a problem, and demonstrating how its use in the real world has now helped millions of people, virtually every report about this vulnerability has focused instead on shock headlines ridiculing Microsoft's most secure OS ever. And then the rumors began: This vulnerability was reportedly published five weeks ago and Microsoft did nothing, I've been told by several readers. I've investigated those charges and have found no corroborating evidence of that, sorry. And I find it hard to believe that Microsoft wouldn't pounce immediately on a problem affecting its keystone product. I'll be speaking to security experts outside of Microsoft this week to get their take on the situation, and verify what I've discovered.
But as of now, it seems that the status quo has been maintained, and Microsoft can't win for trying. Don't be misled by mainstream, computer industry, or Web-based reports about this incident. Yes, this issue is serious, and yes, you should install the patch (by default, it will be downloaded for you automatically, thanks to Auto Update). But it doesn't somehow represent the frailty of XP, which is still the most secure consumer OS available today. One doesn't have to look far to find basic security problems in Microsoft's products (IE or IIS anyone?) but this vulnerability isn't a foundational flaw. I'll have more information about this by the end of the week.