Microsoft MS01-059, Universal Plug-n-Play vulnerability.

From: Mark Medici (mark@dbma.com)
Date: 12/21/01


Date: Fri, 21 Dec 2001 14:42:40 -0500
From: "Mark Medici" <mark@dbma.com>
To: <focus-ms@securityfocus.com>

Does anyone have any information on the protocols and/or ports used
by Universal Plug-n-Play (uPnP)? I'm not looking for specific
sample code or a working exploit. However, I do want to know if
this vulnerability can be exploited from the Internet, and if so,
how to block it at our firewalls and border routers.

Microsoft and CERT announced a vulnerability affecting Windows/XP,
Windows/Me and, potentially, Windows/98 with Universal Plug-n-Play.
See http://www.microsoft.com/technet/security/bulletin/MS01-059.asp
for details.

Obviously, installing Microsoft's patch (Q315000 for Windows/XP, the
most critical platform) is essential. But users (our own and our
customers) frequently get new machines or reload existing ones and
put them on the network for several days before a SysAdmin learns of
their presence to properly patch them.

If there are specific protocols and/or ports that can be associated
with Universal Plug-n-Play, then these can be blocked by our
firewalls, border routers and personal firewalls to protect against
exploits even if one of our users is remiss in installing patches.

Further information is welcome.