Windows XP Warning Overblown

When it comes to Windows XP, no report is too innocuous to be dragged out, dissected, and—apparently—blown out of proportion by the mainstream media. Consider the example of the XP Universal Plug and Play (UPnP) vulnerability. By far, the most interesting aspect about the UPnP vulnerability was the irresponsible way in which various media entities reported it.

UPnP is a service that lets devices automatically detect and poll newer, compatible network devices (e.g., next-generation residential gateways) over a network, much in the way that a Windows PC detects and installs local Plug and Play (PnP) hardware when you plug it into the PC.

Late last year, the National Infrastructure Protection Center (NIPC), an arm of the Federal Bureau of Investigation (FBI), issued an advisory regarding a UPnP vulnerability in XP. The advisory detailed the problem, explained what XP's UPnP subsystem does, and recommended that users download and install the patch Microsoft had provided. The NIPC also recommended that users disable the UPnP service and that systems administrators monitor certain network traffic. In contrast, Microsoft asserted that no further action was necessary after installing the patch. This conflicting advice set off weeks of controversy. In January 2002, the NIPC retracted its earlier warning: Microsoft's patch did the job, the agency said. But by that point, the damage had been done.

Despite Microsoft's increasing emphasis on security over the past year, the company simply hasn't done enough to make security a priority. (Perhaps the company's recent Trustworthy Computing initiative will address this need.) But in this instance, Microsoft and the company that first detected the vulnerability did the right thing. Instead of popularizing the problem so that intruders could learn how to exploit Windows, the young hackers who found the UPnP vulnerability worked with Microsoft to make sure a fix was available before word of the bug got out. Virtually every XP customer was already protected—through XP's Auto Update feature—or had the information they needed to protect themselves before any information about the vulnerability became public.

But tell that to the mainstream media. Instead of lauding Microsoft for providing the Auto Update mechanism for fixing such a problem and for demonstrating how its use in the real world helped millions of people, virtually every report about this vulnerability sported a shock headline ridiculing Microsoft's most secure OS ever. The Associated Press (AP) report stating that Microsoft knew about the vulnerability and did nothing for 5 weeks was untrue: The company immediately set out to fix the vulnerability and issued a patch as soon as possible. Steve Lipner, Microsoft's director of Security Assurance, stated that his security team worked 24 X 7 to complete the patch.

You don't need to look far to find basic security problems in Microsoft's products, but the UPnP vulnerability isn't a serious foundational flaw as the media coverage might have led you to believe. The problem is serious, and you should install the patch if you're an XP (or Windows Me) user. But XP is still the most secure desktop OS available today.