Bugtraq mailing list archives
Too much misleading advice on the Universal Plug-and-Play security hole
From: "Richard M. Smith" <rms () computerbytesman com>
Date: Wed, 26 Dec 2001 13:03:32 -0500
Hi, The more I look at the security problems in the Universal Plug-and-Play (UPNP) feature of Windows, the more I think it is a big mistake to characterized them as Windows XP problems. It is entirely possible that there are more Windows ME (Millennium Edition) users who are vulnerable to the security hole than XP users. The risk here is that Windows ME users won't get the Microsoft patch because they assume the problems are only for XP given most of the press coverage so far. I believe better advice is that all Windows XP and ME users should either get the Microsoft patch or make sure that UPNP is turned off. Pretty clearly the security problems were introducted when Microsoft starting shipping Windows ME during the summer of 2000: Microsoft Windows Millennium Edition Released to Manufacturing June 19, 2000 http://www.microsoft.com/presspass/press/2000/Jun00/WinMeReleasePR.asp "and the first implementation of Universal Plug and Play technology in a Microsoft product." So the problems with the UPNP server are actually more than a year and half old. More accurately these bugs are Windows ME bugs that have been passed along to Windows XP. I just checked my two XP system at my house and UPNP was not installed on either one of them. One XP system is an OEM version shipped by Compaq. The second XP system was upgraded from Windows 98. On the other hand, my two Windows ME systems both had UPNP enabled. Given my experience, I think it is difficult to say exactly who will be affected by these bugs. Computer makers don't seem to be following the rules for installing UPNP as described by Microsoft in their security bulletin. Richard M. Smith http://www.computerbytesman.com
Current thread:
- Too much misleading advice on the Universal Plug-and-Play security hole Richard M. Smith (Dec 26)
- RE: Too much misleading advice on the Universal Plug-and-Play security hole Marc Maiffret (Dec 27)
- RE: Too much misleading advice on the Universal Plug-and-Play security hole Richard M. Smith (Dec 29)
- RE: Too much misleading advice on the Universal Plug-and-Play security hole David LeBlanc (Dec 30)
- RE: Too much misleading advice on the Universal Plug-and-Play security hole Paul Schmehl (Dec 29)
- Re: Too much misleading advice on the Universal Plug-and-Play security hole Matthew Caron (Dec 29)
- RE: Too much misleading advice on the Universal Plug-and-Play security hole Richard M. Smith (Dec 29)
- RE: Too much misleading advice on the Universal Plug-and-Play security hole Marc Maiffret (Dec 27)