InfoWorld
Lead with Knowledge
HOME/ SITEMAP
SUBJECT INDEXES
ABOUT US
WHITE PAPERS

Learn to secure your PCs from new and unknown hacker attacks.

Free IDC White Paper - Discover Secure File Sharing for the Enterpriseattacks.

SEARCH:  
Home  //  Community //  Opinions //  Article
Print Article    Email Article
Window Manager
Brian Livingston
Can we talk about XP?

FOR THE PAST few weeks I've described security problems in Windows XP, Microsoft's Internet Information Server, and Internet servers in general. In today's column, I conclude this series, with a promise to move on to cheerier topics next week.

My cautions about the so-called UPnP (Universal Plug and Play) security hole, which, if unpatched, allows an attacker to gain total control over an XP machine or an entire network of them, prompted some readers to send me an article by Tim Mullen. He's CIO of AnchorIS.com, which specializes in secure accounting software. His article, which first appeared at SecurityFocus (www.securityfocus.com/columnists/50), was reposted at The Register, an excellent industry gadfly, where even more people saw it (http://theregister.co.uk/content/4/23517.html).

Unfortunately, the readers who sent it to me assumed that a tagline in Mullen's piece -- "They all have it wrong" -- invalidated the warnings I gave. Because Mullen's words were posted on Dec. 31, before my column even appeared, he certainly wasn't criticizing me. But I think this discussion is so interesting that it bears more investigation.

Mullen's basic complaint is that the FBI's National Infrastructure Protection Center (NIPC) gave inaccurate recommendations. He also lambasted mistakes by mainstream newspapers, which didn't even link to Microsoft's patch (www.microsoft.com/technet/security/bulletin/MS01-059.asp).

On these points, Mullen is dead-on. The NIPC described how to disable UPnP, but not its underlying Simple Service Discovery Protocol, where the problem lies. For this reason, I recommended that readers disable everything using a free utility by Steve Gibson (http://grc.com/UnPnP/UnPnP.htm). The NIPC's latest notice now recommends the patch, but omits how to disable UPnP (www.nipc.gov/warnings/advisories/2002/01-030-3.htm).

In a telephone interview, Mullen disputed this as well, saying all unused services should be disabled on Internet-connected computers. So far, Mullen and I agree completely.

Where he goes off the rails is when he criticizes Gibson and Gartner for their efforts to alert the media about the problem. His specific criticism is that Gibson implied Microsoft withheld information about the security hole for two months, until Dec. 20, so crucial holiday-season XP sales wouldn't be hurt. But because more complex patches have taken only two weeks, I feel that Microsoft deserves the heat.

Mullen suggests that fears of the XP hole are overblown, writing, "There isn't even an exploit yet!" That's not the case, as you can see by the code at http://packetstorm.widexs.nl/0112-exploits/XPloit.c -- a fact that Gibson clearly warned us about.

The press should print more, not less, about security fixes. I, for one, plan to keep it up.




RELATED SUBJECTS

Operating Systems
Security

MORE >
SUBSCRIBE TO:    E-mail Newsletters  InfoWorld Mobile InfoWorld Magazine
Home  //  Community //  Opinions //  Article Print Article    Email Article
Back to Top
 ADVERTISEMENT
 

SPONSORED LINKS

Learn to secure your PCs from new and unknown hacker attacks.
Click here to receive a FREE Success Kit from Oracle.
SPEED, PERSONALIZATION AND INTEGRATION: THE KEY TO E-COMMERCE SUCCESS.
Protect Your Data: Get your FREE Enterprise Backup Intelligence Kit from ADIC.
New HP digital projectors — click now for limited-time introductory offers.

SUBSCRIBE
E-mail Newsletters
InfoWorld Mobile
Print Magazine
Web-based training
ABOUT INFOWORLD  |  SITE MAP  |  EMPLOYMENT  |  PRIVACY  |   CONTACT US

Copyright 2002 InfoWorld Media Group, Inc.