Bugtraq mailing list archives

Too much misleading advice on the Universal Plug-and-Play security hole


From: "Richard M. Smith" <rms () computerbytesman com>
Date: Wed, 26 Dec 2001 13:03:32 -0500

Hi,

The more I look at the security problems in the Universal Plug-and-Play
(UPNP) feature of Windows, the more I think it is a big mistake to
characterized them as Windows XP problems.  It is entirely possible that
there are more Windows ME (Millennium Edition) users who are vulnerable
to the security hole than XP users.  The risk here is that Windows ME
users won't get the Microsoft patch because they assume the problems are
only for XP given most of the press coverage so far.

I believe better advice is that all Windows XP and ME users should
either get the Microsoft patch or make sure that UPNP is turned off.

Pretty clearly the security problems were introducted when Microsoft
starting shipping Windows ME during the summer of 2000:

  Microsoft Windows Millennium Edition Released to Manufacturing 
  June 19, 2000 
  http://www.microsoft.com/presspass/press/2000/Jun00/WinMeReleasePR.asp

  "and the first implementation of Universal Plug and Play technology 
  in a Microsoft product."

So the problems with the UPNP server are actually more than a year and
half old.

More accurately these bugs are Windows ME bugs that have been passed
along to Windows XP.

I just checked my two XP system at my house and UPNP was not installed
on either one of them.  One XP system is an OEM version shipped by
Compaq.  The second XP system was upgraded from Windows 98.  On the
other hand, my two Windows ME systems both had UPNP enabled.  Given my
experience, I think it is difficult to say exactly who will be affected
by these bugs.  Computer makers don't seem to be following the rules for
installing UPNP as described by Microsoft in their security bulletin.

Richard M. Smith
http://www.computerbytesman.com
  




Current thread: