XP 'Patch' Leaves Door Wide Open

By LAWRENCE J. MAGID

Dec. 27, 2001 12 AM PT

SPECIAL TO THE TIMES

Some companies keep making the same mistakes over and over again.

Microsoft has been leaving security holes in its operating systems for years, and as soon as it fixes one hole, it opens another.

Well, it has opened up a doozy with its latest operating system: Windows XP. On Dec. 20 the company acknowledged a flaw that allows “attackers to execute arbitrary code” on any Windows XP machine connected to the Internet. In other words, if you use Windows XP and if you’re on the Net, you’re a sitting duck: Hackers could erase your files, invade your privacy or plant software that could cause problems later on.

The company took the unusual step of issuing a warning with what it called “Maximum Severity Rating: Critical,” urging that users immediately download a software “patch” to fix the problem.

XP, as it turns out, has a feature called “universal plug and play,” or UPnP, that is designed to allow your PC to control home appliances and other devices. This is part of Microsoft’s grand scheme to turn the PC into the center of your digital universe. But guess what? There aren’t any products on the market that use UPnP.

Although I think it’s admirable that Microsoft included such forward-thinking code in the operating system, it is unclear why the company turned it on by default. And I certainly can’t see why it was made accessible via the Internet.

It would be like leaving your front door open so your pet zebra could walk from the kitchen to the family room. For one thing, you don’t have a pet zebra; and even if you did, it could get around the house without your leaving the front door open.

The moment I heard about the flaw, I accessed the Help and Support area from the XP Control Panel to run Windows Update. But, even though Microsoft had issued the warning, the utility could neither find nor fix the flaw.

I then went to the Microsoft Web site but could find no reference to the fix, even on the security page. I asked a Microsoft public relations person to send the Web address for the patch; the address was 97 characters long and impossible to remember, let alone share with others. Finally, Microsoft posted a link to the patch on its main security Web page at www .microsoft.com/security.

Having run the patch, I breathed a sigh of relief, but it was short-lived. The next day, the FBI’s National Infrastructure Protection Center (www.nipc.gov) warned users that the Microsoft patch was insufficient. Instead, users were advised to set the UPnP service settings to “disable.”

Excuse me. I literally wrote the book (well, one of the books) about how to use Windows XP, but I didn’t have a clue about how to implement the NIPC’s suggestion. Later, the NIPC issued a follow-up advisory with a seven-step fix, but it’s a relatively complicated procedure for folks who don’t make a living fiddling with computers.

Microsoft’s patch, said Steve Gibson of Laguna Hills-based Gibson Research Corp., fixes the hole but doesn’t close the door opened by UPnP. Gibson agrees with the FBI that systems with this service running remain vulnerable.

“This isn’t the first known vulnerability in universal plug and play,” he said. “Since no one needs it yet, the only safe strategy is to simply turn it off.”

Gibson has created a free and very small, downloadable program that will fix the problem for you. I tested the program, and it automatically does exactly the same thing as the NIPC’s manual fix without your having to go through the hassle or take the risk of making a mistake that could wreak havoc on your system. Gibson’s program can reverse the procedure should you later need to unlock that UPnP door.

You can get the program by going to www.grc.com and clicking on the “UnPlug n’ Pray” icon.

Technology reports by Lawrence J. Magid can be heard between 2 and 3 p.m. weekdays on the KNX-AM (1070) Technology Hour. He can be reached at larry.magid@latimes .com.

XP ‘Patch’ Leaves Door Wide Open

More From the Los Angeles Times