Tech Industry

Commentary: XP's "plug and prey" hole

The 2001 holiday season hasn't been merry for early adopters of Microsoft's Windows XP.

By John Pescatore, Michael Silver, David Smith and Neil MacDonald, Gartner analysts

The 2001 holiday season hasn't been merry for early adopters of Microsoft's Windows XP.

They must cope with two cases of serious security vulnerabilities--one in the Internet Explorer 6 browser, the other affecting Universal Plug and Play service--both of which are embedded in Windows XP.

See news story:
Microsoft issues patch for "serious" XP hole

These vulnerabilities earn a "high risk" mark on Gartner's Internet Vulnerability Risk Rating system. We predict that by the end of the first quarter of 2002, standard hacker attack tools will incorporate these weaknesses into the rampant hacker scanning that is seen on cable modem and DSL Internet access systems.

The plug-and-play vulnerability validates Gartner's view that Microsoft's Secure Windows Initiative was limited to the software maker's server operating systems. Discovery of such a serious buffer overflow vulnerability in Windows XP software shows that Microsoft must significantly increase management attention to security and focus on improving its software development and testing processes.

Enterprises debating a move to Windows XP should wait to see if more security vulnerabilities are found in the operating system during the next three to six months. Those actively planning Windows XP migration should test application compatibility with this patch (and any patch fixes that Microsoft offers after problems are found with the initial one) for any operating system image they intend to make standard on their computer systems.

Enterprises using Windows XP or that have installed the plug-and-play services on Windows ME-based PCs should block ports 1900 and 5000 on corporate firewalls (plus personal firewall software on laptops and small or home office router firewalls) and patch all affected desktops at once.

Employees who remotely connect using home PCs that run Windows ME should get instructions from their companies on how to disable the plug-and-play services and install the patch.

(For a related commentary on recent security holes in Internet Explorer as well as Sun and Unix server products, see Gartner.com.)

Entire contents, Copyright © 2001 Gartner, Inc. All rights reserved. The information contained herein represents Gartner's initial commentary and analysis and has been obtained from sources believed to be reliable. Positions taken are subject to change as more information becomes available and further analysis is undertaken. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of the information. Gartner shall have no liability for errors, omissions or inadequacies in the information contained herein or for interpretations thereof.