======================================================== BRIAN LIVINGSTON: "Window Manager" InfoWorld.com ========================================================
Monday, January 14, 2002 - - - - - - - - - - - - - - - - - - - - - - - - - - - - PLUG-AND-PREY FIASCO Posted January 11, 2002 01:01 PM Pacific Time BY NOW, YOU'VE probably heard about the serious security hole that's installed by default on all systems running Windows XP. As Microsoft acknowledged on Dec. 20, the so-called UPnP (Universal Plug and Play) feature in XP allows malicious hackers to send commands across the Internet to your PC and "gain complete control over the system" (see http://www.microsoft.com/technet/security/bulletin/ms01-059.asp for an explanation and a patch). This weakness, which opens any affected machine to Trojan horses that can run DDoS (distributed denial of service) attacks, was quickly dubbed "Plug and Prey." Despite the issuance of the patch, Microsoft was criticized for taking two months to solve the problem after being informed of it in October by eEye Digital Security ( http://www.eeye.com/html/Research/Advisories/AD20011220.html ), a consulting firm based in Aliso Viejo, Calif. Furthermore, the patch alone may not be enough to completely protect your system. The National Infrastructure Protection Center (NIPC) of the U.S. Federal Bureau of Investigation followed Microsoft's announcement with a strong recommendation that users should disable UPnP services, not merely run the patch -- a position eEye reiterates. Besides XP, the problem also affects Windows 98 and Windows Me systems on which UPnP was directly installed. (Some computer makers installed UPnP and enabled it by default on Me systems.) The FBI bulletin (available at http://www.nipc.gov/warnings/advisories/2001/01-030-2.htm ) describes several procedures you can take to disable UPnP on different flavors of Windows. Fortunately, there's now a better way. Security expert Steve Gibson, who's well-known for his prerelease criticism of several security weaknesses built into Windows XP, has posted a free tool that easily disables and re-enables UPnP on any version of Windows. The tiny (22KB) program -- called UnPlug n' Pray, another naming variant on the latest security fiasco -- can be downloaded at http://www.grc.com/UnPnP/UnPnP.htm . As Gibson explains it, Universal Plug and Play is not related to the well-known Plug and Play service, which allows peripheral devices to be plugged in and removed without rebooting the PC. UPnP, which makes a device available to several computers on a network, would more accurately be called Network Device Setup. Unfortunately, UPnP essentially allows anyone on the Internet to pose as a device and gain control of your system. In addition, some personal firewalls are vulnerable to UPnP traffic, and most Windows Me systems on which OEMs enabled UPnP have no firewalls at all. I'll discuss next week the scenario of millions of machines being turned into DDoS attack zombies. Meanwhile, get Gibson's utility, and pray. - - - - - - - - - - - - - - - - - - - - - - - - - - - - Copyright 2002 InfoWorld Media Group Inc. ================================================ TO SEE MESSAGE POSTING GUIDELINES: Send a plain text email to [EMAIL PROTECTED] In the message body, put just two words: INTRO rbase-l ================================================ TO UNSUBSCRIBE: send a plain text email to [EMAIL PROTECTED] In the message body, put just two words: UNSUBSCRIBE rbase-l
