My cautions about the so-called UPnP (Universal Plug and Play) security hole, which, if unpatched, allows an attacker to gain total control over an XP machine or an entire network of them, prompted some readers to send me an article by Tim Mullen. He’s information chief of AnchorIS.com, which specialises in secure accounting software. His article, which first appeared at SecurityFocus, was re-posted at The Register, an excellent industry gadfly, where even more people saw it .
Unfortunately, the readers who sent it to me assumed that a tagline in Mullen’s piece — “They all have it wrong” — invalidated the warnings I gave. Because Mullen’s words were posted on December 31, before my column even appeared, he certainly wasn’t criticising me. But I think this discussion is so interesting that it bears more investigation.
Mullen’s basic complaint is that the FBI’s National Infrastructure Protection Centre (NIPC) gave inaccurate recommendations. He also lambasted mistakes by mainstream newspapers, which didn’t even link to Microsoft’s patch.
On these points, Mullen is dead-on. The NIPC described how to disable UPnP, but not its underlying simple service discovery protocol, where the problem lies. For this reason, I recommended that readers disable everything using a free utility by Steve Gibson. The NIPC’s latest notice now recommends the patch, but omits how to disable UPnP.
In a telephone interview, Mullen disputed this as well, saying all unused services should be disabled on internet-connected computers. So far, Mullen and I agree completely.
Where he goes off the rails is when he criticises Gibson and Gartner for their efforts to alert the media about the problem. His specific criticism is that Gibson implied Microsoft withheld information about the security hole for two months, until December 20, so crucial holiday-season XP sales wouldn’t be hurt. But because more complex patches have taken only two weeks, I feel that Microsoft deserves the heat.
Mullen suggests that fears of the XP hole are overblown, writing, “There isn’t even an exploit yet!” That’s not the case, as you can see by the code here — a fact that Gibson clearly warned us about.
The press should print more, not less, about security fixes. I, for one, plan to keep it up.
Send tips to firstname.lastname@example.org. He regrets that he cannot answer individual questions.