Urgent Security Fix for Windows XP Win Me, XP-Internet-Sharing Win 98 Systems Also Need Patching Eric Grevstad
Fri 12/21/01 -- "Impact of vulnerability: Run code of attacker's choice." If you don't want to think about that -- the possibility for a hacker to access any data and do anything he wants to your PC -- hurry to Microsoft's Web site for a new security patch that (to quote again from the TechNet bulletin) "Microsoft strongly urges all Windows XP customers to apply immediately."
The same goes, with slightly less urgency, for Windows Me users, and any Windows 98 or 98SE users who've installed the Internet Connection Sharing client from Windows XP.
The fatal weakness involves the Universal Plug and Play (UPnP) code that's supposed to let devices on a network identify themselves and discover one another the way Plug and Play components do within a single PC. Windows 2000 and Windows NT 4.0 don't support UPnP; nor does Windows 98 unless the abovementioned XP client is installed; Win Me does, but it's turned off by default.
As eEye Digital Security discovered and reported to Microsoft, a buffer-overrun weakness in UPnP could allow an intruder to gain complete control of a Windows XP system, while a second, slightly less critical loophole left UPnP open to hijacking in a distributed denial of service (DDoS) attack. The patch makes Windows XP aware of the problem and smart enough to limit UPnP access to the purposes it was intended for -- and also to protect any Windows 98 system later configured to use Internet Connection Sharing from the patched XP machine.
Even so, the FBI's National Infrastructure Protection Center urges users to turn off UPnP altogether. In Windows XP, open Control Panel's Administrative Tools folder, then the Services icon; scroll down to find and double-click the "Universal Plug and Play Device Host" service; and change the General tab's Startup Type field to Disabled. In Windows Me, open Control Panel's Add/Remove Programs and the Windows Setup tab; in the Components field, select Communications; and scroll down and uncheck "Universal Plug and Play."
