InfoWorld
Lead with Knowledge
HOME/ SITEMAP
SUBJECT INDEXES
ABOUT US
WHITE PAPERS

Learn to secure your PCs from new and unknown hacker attacks.

Free IDC White Paper - Discover Secure File Sharing for the Enterpriseattacks.

SEARCH:  
Home  //  Community //  Opinions //  Article
Print Article    Email Article
Window Manager
Brian Livingston
Plug-and-prey fiasco

BY NOW, YOU'VE probably heard about the serious security hole that's installed by default on all systems running Windows XP. As Microsoft acknowledged on Dec. 20, the so-called UPnP (Universal Plug and Play) feature in XP allows malicious hackers to send commands across the Internet to your PC and "gain complete control over the system" (see www.microsoft.com/technet/security/bulletin/ms01-059.asp for an explanation and a patch). This weakness, which opens any affected machine to Trojan horses that can run DDoS (distributed denial of service) attacks, was quickly dubbed "Plug and Prey."

Despite the issuance of the patch, Microsoft was criticized for taking two months to solve the problem after being informed of it in October by eEye Digital Security (www.eeye.com/html/Research/Advisories/AD20011220.html), a consulting firm based in Aliso Viejo, Calif. Furthermore, the patch alone may not be enough to completely protect your system. The National Infrastructure Protection Center (NIPC) of the U.S. Federal Bureau of Investigation followed Microsoft's announcement with a strong recommendation that users should disable UPnP services, not merely run the patch -- a position eEye reiterates.

Besides XP, the problem also affects Windows 98 and Windows Me systems on which UPnP was directly installed. (Some computer makers installed UPnP and enabled it by default on Me systems.)

The FBI bulletin (available at www.nipc.gov/warnings/advisories/2001/01-030-2.htm) describes several procedures you can take to disable UPnP on different flavors of Windows. Fortunately, there's now a better way.

Security expert Steve Gibson, who's well-known for his prerelease criticism of several security weaknesses built into Windows XP, has posted a free tool that easily disables and re-enables UPnP on any version of Windows. The tiny (22KB) program -- called UnPlug n' Pray, another naming variant on the latest security fiasco -- can be downloaded at www.grc.com/UnPnP/UnPnP.htm.

As Gibson explains it, Universal Plug and Play is not related to the well-known Plug and Play service, which allows peripheral devices to be plugged in and removed without rebooting the PC. UPnP, which makes a device available to several computers on a network, would more accurately be called Network Device Setup.

Unfortunately, UPnP essentially allows anyone on the Internet to pose as a device and gain control of your system. In addition, some personal firewalls are vulnerable to UPnP traffic, and most Windows Me systems on which OEMs enabled UPnP have no firewalls at all.

I'll discuss next week the scenario of millions of machines being turned into DDoS attack zombies. Meanwhile, get Gibson's utility, and pray.




RELATED SUBJECTS

Security
Operating Systems

MORE >
SUBSCRIBE TO:    E-mail Newsletters  InfoWorld Mobile InfoWorld Magazine
Home  //  Community //  Opinions //  Article Print Article    Email Article
Back to Top
 ADVERTISEMENT
 

SPONSORED LINKS

Learn to secure your PCs from new and unknown hacker attacks.
Get FREE Hurwitz Report: Control Your App Dev Costs with TogetherSoft!
Click here to receive a FREE Success Kit from Oracle.
SPEED, PERSONALIZATION AND INTEGRATION: THE KEY TO E-COMMERCE SUCCESS.
Protect Your Data: Get your FREE Enterprise Backup Intelligence Kit from ADIC.

SUBSCRIBE
E-mail Newsletters
InfoWorld Mobile
Print Magazine
Web-based training
ABOUT INFOWORLD  |  SITE MAP  |  EMPLOYMENT  |  PRIVACY  |   CONTACT US

Copyright 2002 InfoWorld Media Group, Inc.