Security Alert: Universal Plug & Play Security Vulnerability In Windows XP

Windows XP, Microsoft's newest version of Windows, contains a serious flaw that allows hackers to steal or destroy a victim's data files across the Internet or implant rogue computer software. The company released a free fix on December 20, 2001.

The risk to XP users is unprecedented because the vulnerability allows hackers to assume control of all Windows XP operating system software if the Windows XP workstation is connected to the Internet.

The Windows XP problems affect a feature that uses Internet protocols to allow devices such as computers, scanners and printers to automatically discover one another so they can communicate. The feature, called "Universal Plug & Play," is activated by design in every copy of Windows XP and can be added manually to earlier versions of Microsoft's Windows software, specifically Windows 98, Windows 98 Second Edition, and Windows Millenium Edition (Windows ME).

Microsoft has made a free fix for both Windows XP Home and Windows XP Professional available on its Web site. Information Systems & Computing (ISC) and Microsoft strongly recommend that every Windows XP user apply the patch immediately. Customers using Windows 98, Windows 98 Second Edition, and Windows ME with the "Universal Plug & Play" service running should use the same patch. This vulnerability does not exist under Windows 95, Windows NT Workstation 4.0, or Windows 2000 Professional.

For further information

National Infrastructure Protection Center Advisory on Universal Plug & Play Vulnerabilities.

Microsoft's Windows XP page.

--Mike Lazenka & Nicholas Allen, ISC Technology Support Services (December 21, 2001)