Programming Windows: Trustworthy (Premium)

With the Windows XP launch behind it, Microsoft turned its attention to the future. This future was to include several Windows initiatives with 2002 deliverables, some public and some yet to be revealed.

Microsoft had promised to ship Windows XP Tablet PC Edition by the end of 2002, for example. But it was also prepping the next major release of Windows Server, then still called Windows .NET Server, and the first servicing update for Windows XP, called Windows XP Service Pack 1 (SP1). Longhorn development would speed through a set of “alpha” pre-release internal builds in 2002 before an external beta. Microsoft had yet another Windows XP variant, this one aimed at so-called Media Center PCs, that it would unveil at the Consumer Electronics Show (CES) in January 2002. And there were, of course, lesser releases aimed at vertical markets, like Windows XP Embedded and new variants of Windows CE, all of which would spread Windows XP’s NT-based DNA to new device categories.

Windows XP got off to a good start, given the industry doldrums and the post-911 uncertainties of the day. And it was well-reviewed, kicking off a new era for Microsoft’s most important, lucrative, and popular platform thanks to its solid and secure new foundations and consumer-friendly capabilities that were poised for a new era of connectivity.

But that new era unceremoniously came to a crashing halt less than two months after Windows XP shipped, and right in the middle of a well-deserved vacation for Jim Allchin, who had previously won the internal battle between Windows and the web and had successfully shepherded the back-to-back development of Windows 2000 and Windows XP. On December 20, 2001, the security researchers at eEye Security announced that they had discovered major security vulnerabilities in the recently released Windows XP.

“Windows XP, by default, ships with a UPNP (Universal Plug and Play) Service that can be used to detect and integrate with UPNP aware devices,” the firm explained. “eEye has discovered three vulnerabilities within Microsoft's UPNP implementation: a remotely exploitable buffer overflow that allows an attacker gain System-level access to any default installation of Windows XP, a Denial of Service (DoS) attack, and a Distributed Denial of Service (DDoS) attack. eEye would like to stress the extreme seriousness of this vulnerability.”

UPnP is a technology that enables devices on a network to discover and communicate with each other seamlessly. The name is meant to evoke the earlier “Plug and Play” technology that Microsoft had created for Windows 95 and peripheral connectivity, especially via USB. Microsoft had added UPnP compatibility to previous Windows versions like Windows 98 and Windows ME, but it was disabled by default on those systems because of the relative rarity of home networking at the time.

Windows XP, however, was poised for a future in which home networks and connected devices would be comm...