[23652] in bugtraq
RE: Too much misleading advice on the Universal Plug-and-Play security hole
daemon@ATHENA.MIT.EDU (David LeBlanc)
Sun Dec 30 19:33:55 2001
From: "David LeBlanc" <dleblanc@mindspring.com>
To: "'Richard M. Smith'" <rms@computerbytesman.com>,
"'Marc Maiffret'" <marc@eeye.com>, <bugtraq@securityfocus.com>
Date: Sat, 29 Dec 2001 13:53:22 -0800
Message-ID: <004b01c190b3$3d523cf0$0800a8c0@davenet.local>
MIME-Version: 1.0
Content-Type: text/plain;
charset="US-ASCII"
Content-Transfer-Encoding: 7bit
In-Reply-To: <001d01c18efb$2a4b54c0$6401a8c0@rms>
> From: Richard M. Smith [mailto:rms@computerbytesman.com]
> "Customers using Windows 98, 98SE or ME should apply the patch
> if the Universal Plug and Play (UPNP) service is installed
> and running"
As Matt pointed out, it will only be there if you've installed Internet
Connection Sharing that came with XP. I'm not 100% sure on this, being a
long-time NT-Win2k-XP bigot who hasn't run the Win9x line since '95 was
in beta.
> BTW, another option that the FBI is offering at the
www.nipc.gov Web site is to turn off UPNP altogether:
Update: "Universal Plug and Play Vulnerabilities"
http://www.nipc.gov/warnings/advisories/2001/01-030-2.htm
Which is incorrect information that will leave you vulnerable because it
tells you to turn off the WRONG service. NIPC, unfortunately, isn't a
very good source of information right now. Vendor bulletins and this
list are better (IMHO).
David LeBlanc
dleblanc@mindspring.com
