RE: Too much misleading advice on the Universal Plug-and-Play security hole

["Richard M. Smith" <rms () computerbytesman com>]

Hi Marc,

   >>> That means, and as I've said to one to many reporters, if you 
   >>> or someone you know is running Windows 98/ME/XP then you/they 
   >>> need to install the patch.

But that's not the advice that Microsoft is giving in their security
bulletin.  This is what it says about patching Windows 98 and ME:

   "Customers using Windows 98, 98SE or ME should apply the patch 
   if the Universal Plug and Play (UPNP) service is installed and
running"

The problem here is that Microsoft doesn't explain to customers how to
find out if UPNP is installed on their systems or not.  Folks are left
scratching their head if they need to get the patch.  To keep things
simple, Microsoft should just be telling everyone to always install the
patch on Windows 98/ME/XP.  I am sure most users have never heard of
UPNP.

BTW, another option that the FBI is offering at the www.nipc.gov Web
site is to turn off UPNP altogether:

   Update: "Universal Plug and Play Vulnerabilities"
   http://www.nipc.gov/warnings/advisories/2001/01-030-2.htm

I like this approach a lot because it protects against future UPNP
security holes and bad patches like the original 054 UPNP patch for
Windows ME.  I am confused why Microsoft doesn't include this same
information about turning off UPNP in their security bulletin. 

I am also still wondering why this problem is being characterized as
Windows XP bug, when the problem was clearly introduced when Windows ME
started shipping in 2000.  Even on their home page, Microsoft calls it a
Windows XP and UPNP bug without naming Windows ME or 98.  I understand
that marketing people don't like to talk about old products, but when it
comes to security holes, I think they need to make an exception.

Richard M. Smith
http://www.computerbytesman.com