Critical security vulnerabilities in Microsoft Corp.'s Windows XP desktop operating system that were made public in late December pose a lesser threat to corporate users than to consumers, a company spokesman said.

Microsoft issued a security bulletin on Dec. 20 strongly urging all Windows XP users to immediately apply a patch to address a vulnerability in the Universal Plug and Play (UPnP) service that's enabled by default in Windows XP.

Users running Windows 98, 98SE and ME also need to apply the patch, but only if the UPnP service is installed and running on their PCs, Microsoft said.

On Oct. 29, four days after Windows XP shipped, eEye Digital Security in Aliso Viejo, Calif., informed Microsoft of the vulnerability in its UPnP service, which allows an operating system to discover and use new hardware added to the network, a Microsoft spokesman said.

Windows product manager Charmaine Grazning classified the vulnerability as "critical" but said Microsoft isn't aware of any problems that have occurred as a result of it.

Russ Cooper, moderator of the NTBugtraq mailing list and an analyst at TruSecure Corp., a Reston, Va.-based security firm, said he wouldn't be surprised to see "some large-scale attack" using home machines or possibly PCs in a university environment, with "some group taking control of hundreds of thousands of machines and using them for a distributed denial-of-service attack or some sort of attack against a site by many, many machines."

But Cooper predicted that it won't happen for a month or two, since it typically takes time for hackers to learn how to exploit such problems.

Cooper advised corporate IT departments to make sure their intrusion-detection systems are looking for anything that uses UPnP protocols and to turn off the UPnP feature if they're not using it or install the patch.

Charles Kolodgy, an analyst at IDC in Framingham, Mass., said businesses face a low risk from outside parties and a medium risk from inside their LANs that security policies should help mitigate. "This is a consumer vulnerability, for the most part," he said.

"For corporations, the internal IP addresses should be protected behind a firewall, thus a targeted attack which requires an IP address would be difficult to execute," Kolodgy said. A broadcast attack, which doesn't need an IP address, "appears impossible to execute" because the messages that advertise the availability of UPnP-capable devices can't be routed, so those devices outside a LAN couldn't broadcast the messages, he explained.

The UPnP capability runs by default on Windows XP. Windows ME has native UPnP capability, but users must activate it. For Windows 98 and 98SE, UPnP must be installed via the Internet Connection Sharing client that ships with Windows XP. Windows NT 4.0 and 2000 don't support UPnP.