Can we talk about XP?
FOR THE PAST few weeks I've described security problems in Windows XP, Microsoft's Internet Information Server, and Internet servers in general. In today's column, I conclude this series, with a promise to move on to cheerier topics next week.
My cautions about the so-called UPnP (Universal Plug and Play) security hole, which, if unpatched, allows an attacker to gain total control over an XP machine or an entire network of them, prompted some readers to send me an article by Tim Mullen. He's CIO of AnchorIS.com, which specializes in secure accounting software. His article, which first appeared at SecurityFocus (www.securityfocus.com/columnists/50), was reposted at The Register, an excellent industry gadfly, where even more people saw it (http://theregister.co.uk/content/4/23517.html).
Unfortunately, the readers who sent it to me assumed that a tagline in Mullen's piece -- "They all have it wrong" -- invalidated the warnings I gave. Because Mullen's words were posted on Dec. 31, before my column even appeared, he certainly wasn't criticizing me. But I think this discussion is so interesting that it bears more investigation.
Mullen's basic complaint is that the FBI's National Infrastructure Protection Center (NIPC) gave inaccurate recommendations. He also lambasted mistakes by mainstream newspapers, which didn't even link to Microsoft's patch (www.microsoft.com/technet/security/bulletin/MS01-059.asp).
On these points, Mullen is dead-on. The NIPC described how to disable UPnP, but not its underlying Simple Service Discovery Protocol, where the problem lies. For this reason, I recommended that readers disable everything using a free utility by Steve Gibson (http://grc.com/UnPnP/UnPnP.htm). The NIPC's latest notice now recommends the patch, but omits how to disable UPnP (www.nipc.gov/warnings/advisories/2002/01-030-3.htm).
In a telephone interview, Mullen disputed this as well, saying all unused services should be disabled on Internet-connected computers. So far, Mullen and I agree completely.
Where he goes off the rails is when he criticizes Gibson and Gartner for their efforts to alert the media about the problem. His specific criticism is that Gibson implied Microsoft withheld information about the security hole for two months, until Dec. 20, so crucial holiday-season XP sales wouldn't be hurt. But because more complex patches have taken only two weeks, I feel that Microsoft deserves the heat.
Mullen suggests that fears of the XP hole are overblown, writing, "There isn't even an exploit yet!" That's not the case, as you can see by the code at http://packetstorm.widexs.nl/0112-exploits/XPloit.c -- a fact that Gibson clearly warned us about.
The press should print more, not less, about security fixes. I, for one, plan to keep it up.
Send tips to email@example.com. He regrets that he cannot answer individual questions. Go to www.iwsubscribe.com/newsletters to get his Window Manager column and E-Business Secrets e-zine free via e-mail.