Windows XP security alert revised by FBI agency

The FBI’s National Infrastructure Protection Center (NIPC) has revised its recent security bulletin regarding Windows XP’s universal plug-and-play (UPNP) service.

On Christmas Eve, the NIPC issued a bulletin advising Windows XP users to consider turning off the UPNP service to close a security hole that could allow hackers to break into a user’s computer. That recommendation followed the posting of a patch by Microsoft Corp. on its Web site.

Now, in an updated security bulletin, the NIPC has dropped the recommendation to disable UPNP. Instead, the Washington-based agency recommends that the Microsoft patch be installed to correct the security vulnerability.

Marty Lindner, a team leader at the CERT Coordination Center at Carnegie Mellon University in Pittsburgh, said the original NIPC alert was updated after better information became available about the problem. Because of the Christmas and New Year’s holidays, security experts weren’t able to fully explore solutions to the problem at that time, he said.

“The quality of the information and the time to analyze it was short, so they put out the best information they could,” Lindner said.

The security vulnerability was a buffer overflow that could allow distributed denial-of-service attacks and other intrusions, according to the NIPC. The problem also could affect Windows 98, 98SE and ME, which use the UPNP service.

The UPNP service allows PCs to discover and use various network-based devices such as printers. Windows XP has native UPNP capability, which runs by default on the system. Windows ME also includes native UPNP capability, but it doesn’t run by default. With Windows 98 and 98SE, UPNP must be installed via the Internet Connection Sharing client that ships with Windows XP.

Originally, the NIPC believed the buffer overflow problem was in UPNP itself, Lindner said. The problem was later found to be in one of the protocol services that actually implement the UPNP service.

Alfred Huger, vice-president of engineering at SecurityFocus, an IT security firm in San Mateo, Calif., said that the NIPC “made a mistake in their fix” for the problem in its first bulletin. “The about-face was actually a correction,” he added.

Charles Kolodgy, an analyst at International Data Corp. in Framingham, Mass., said the updated bulletin from the NIPC may not end the discussion about the vulnerability.

“The bad part is it kind of makes it a little confusing for what users should do,” he said.