RE: Too much misleading advice on the Universal Plug-and-Play security hole

From: David LeBlanc (dleblanc@mindspring.com)
Date: 12/29/01 

From: "David LeBlanc" <dleblanc@mindspring.com>
To: "'Richard M. Smith'" <rms@computerbytesman.com>, "'Marc Maiffret'" <marc@eeye.com>, <bugtraq@securityfocus.com>
Date: Sat, 29 Dec 2001 13:53:22 -0800

> From: Richard M. Smith [mailto:rms@computerbytesman.com]

> "Customers using Windows 98, 98SE or ME should apply the patch
> if the Universal Plug and Play (UPNP) service is installed
> and running"

As Matt pointed out, it will only be there if you've installed Internet
Connection Sharing that came with XP. I'm not 100% sure on this, being a
long-time NT-Win2k-XP bigot who hasn't run the Win9x line since '95 was
in beta.
 
> BTW, another option that the FBI is offering at the
www.nipc.gov Web site is to turn off UPNP altogether:

   Update: "Universal Plug and Play Vulnerabilities"
   http://www.nipc.gov/warnings/advisories/2001/01-030-2.htm

Which is incorrect information that will leave you vulnerable because it
tells you to turn off the WRONG service. NIPC, unfortunately, isn't a
very good source of information right now. Vendor bulletins and this
list are better (IMHO).

David LeBlanc
dleblanc@mindspring.com