This is a special alert from The Funny/Alerts Newsletter. Microshaft is at it again. If you purchased or received for Christmas the new Windows XP (eXPerimental) operating system you need to know about this latest security flaw!

Windows XP Plug-N-Pray
by Steve Gibson

The FBI has Strongly Recommended that All Users Immediately Disable WinXP's Universal Plug n' Play Support

What is all the fuss about?
On Thursday, December 20, 2001 Microsoft revealed that the hackers at eEye had discovered multiple critical security flaws in all versions of Windows XP 

Translating eEye's and Microsoft's statements into consequences, this means that without the security update patch, and with the Universal Plug and Play (UPnP) system in its default "enabled" state, any of the many millions of Internet-connected Windows XP systems could be remotely commandeered and forced to download and run any malicious code of a hacker's design. This includes using the machine to launch potent Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks. 

This also means that extremely damaging CodeRed and Nimda-style worms can now be written for Windows XP machines. Whereas the Microsoft IIS worms of 2001 found and infested 'only' several hundred thousand IIS servers, a Windows XP "Universal Plug and Play" worm would have more than seven million XP systems upon which to feed today. 

The threat is so significant that the FBI has urged consumers to take matters into their own hands:

WASHINGTON, Dec. 21 The FBI's top cyber-security unit warned consumers and corporations Friday night to take new steps beyond those recommended by Microsoft Corp. to protect against hackers who might try to attack major flaws discovered in the newest version of Windows software.

How did this disaster happen?
The Universal Plug and Play service (UPnP), which is installed and running in all versions of Windows XP, essentially turns every copy of XP into a wide-open Internet server. This server listens for TCP connections on port 5000 and for UDP 'datagram' packets arriving on port 1900. This allows malicious hackers (or high-speed Internet worms) to scan for, and locate, your individual Windows XP machine from anywhere in the world. Any vulnerabilities known today or discovered tomorrow can then be rapidly exploited. Note that the security of XP's built-in personal firewall was deliberately compromised to allow these unsolicited connections to take place. (You can verify this yourself by using our ShieldsUP! Port Probe to check for an open TCP port 5000 exposed to the outside world right through XP's firewall.)

Of significant concern to consumers and to the Internet industry, is the fact that Microsoft was informed of this by eEye nearly two months before its announcement. Microsoft knew of this through- out the entire Christmas holiday sales season. They deliberately and knowingly sold millions of copies of a seriously defective and insecure operating system to millions of trusting consumers.

It appears that Microsoft waited until after their Christmas sales were safe to make their 'emergency' announcement.

Can't anyone make an honest mistake?
Of course . . . but this was VERY deliberate and Microsoft STILL has not learned their lesson: A very troubling aspect of this issue is that the POTENTIAL for this insecurity was intentionally and needlessly designed into Windows XP from the start. ALMOST NO ONE uses or needs to have Universal Plug and Play enabled today. Yet every copy of Windows XP sold has it enabled and running by default. 

This goes to the heart of Microsoft's lack of understanding, or lack of honest concern, about security. And that's the bigger problem here.

For Microsoft to proclaim that Windows XP is the most secure Windows operating system ever shipped while every copy has a wide-open, firewall penetrating, exposed Internet server running makes a mockery of their professed commitment to security. 

It seems clear that Microsoft has their own agenda, whatever it may be, and that agenda appears not to be concerned with their users' Internet security. The responsibility falls to us to protect ourselves from Microsoft's deliberate decisions.

Introducing UnPlug n' Pray:
UnPlug n' Pray empowers Windows XP users with the means to shut down the dangerous and unnecessary UPnP Internet server running in their machines.

One important note of caution: Microsoft has a nasty and very insecure habit of "undoing" non-standard system changes that have been made to enhance the system's security. We will update this page if we learn of anything that secretly re-enables these services. But you may want to briefly run UnPnP from time to time, especially after making extensive changes to your system, to be sure everything is still securely disabled.

XP users download here:

Please take a prudent level of minimum due care.