solrac
Mac Ninja
PLUG-AND-PREY FIASCO
Posted January 11, 2002 01:01 PM Pacific Time
BY NOW, YOU'VE probably heard about the serious
security hole that's installed by default on all
systems running Windows XP. As Microsoft acknowledged
on Dec. 20, the so-called UPnP (Universal Plug and
Play) feature in XP allows malicious hackers to send
commands across the Internet to your PC and "gain
complete control over the system" (see
http://www.microsoft.com/technet/security/bulletin/ms01-059.asp
for an explanation and a patch). This weakness, which
opens any affected machine to Trojan horses that can
run DDoS (distributed denial of service) attacks, was
quickly dubbed "Plug and Prey."
Despite the issuance of the patch, Microsoft was
criticized for taking two months to solve the problem
after being informed of it in October by eEye Digital
Security (
http://www.eeye.com/html/Research/Advisories/AD20011220.html
), a consulting firm based in Aliso Viejo, Calif.
Furthermore, the patch alone may not be enough to
completely protect your system. The National
Infrastructure Protection Center (NIPC) of the U.S.
Federal Bureau of Investigation followed Microsoft's
announcement with a strong recommendation that users
should disable UPnP services, not merely run the patch
-- a position eEye reiterates.
Besides XP, the problem also affects Windows 98 and
Windows Me systems on which UPnP was directly
installed. (Some computer makers installed UPnP and
enabled it by default on Me systems.)
The FBI bulletin (available at
http://www.nipc.gov/warnings/advisories/2001/01-030-2.htm
) describes several procedures you can take to disable
UPnP on different flavors of Windows. Fortunately,
there's now a better way.
Security expert Steve Gibson, who's well-known for his
prerelease criticism of several security weaknesses
built into Windows XP, has posted a free tool that
easily disables and re-enables UPnP on any version of
Windows. The tiny (22KB) program -- called UnPlug n'
Pray, another naming variant on the latest security
fiasco -- can be downloaded at
http://www.grc.com/UnPnP/UnPnP.htm .
As Gibson explains it, Universal Plug and Play is not
related to the well-known Plug and Play service, which
allows peripheral devices to be plugged in and removed
without rebooting the PC. UPnP, which makes a device
available to several computers on a network, would
more accurately be called Network Device Setup.
Unfortunately, UPnP essentially allows anyone on the
Internet to pose as a device and gain control of your
system. In addition, some personal firewalls are
vulnerable to UPnP traffic, and most Windows Me
systems on which OEMs enabled UPnP have no firewalls
at all.
I'll discuss next week the scenario of millions of
machines being turned into DDoS attack zombies.
Meanwhile, get Gibson's utility, and pray.
Posted January 11, 2002 01:01 PM Pacific Time
BY NOW, YOU'VE probably heard about the serious
security hole that's installed by default on all
systems running Windows XP. As Microsoft acknowledged
on Dec. 20, the so-called UPnP (Universal Plug and
Play) feature in XP allows malicious hackers to send
commands across the Internet to your PC and "gain
complete control over the system" (see
http://www.microsoft.com/technet/security/bulletin/ms01-059.asp
for an explanation and a patch). This weakness, which
opens any affected machine to Trojan horses that can
run DDoS (distributed denial of service) attacks, was
quickly dubbed "Plug and Prey."
Despite the issuance of the patch, Microsoft was
criticized for taking two months to solve the problem
after being informed of it in October by eEye Digital
Security (
http://www.eeye.com/html/Research/Advisories/AD20011220.html
), a consulting firm based in Aliso Viejo, Calif.
Furthermore, the patch alone may not be enough to
completely protect your system. The National
Infrastructure Protection Center (NIPC) of the U.S.
Federal Bureau of Investigation followed Microsoft's
announcement with a strong recommendation that users
should disable UPnP services, not merely run the patch
-- a position eEye reiterates.
Besides XP, the problem also affects Windows 98 and
Windows Me systems on which UPnP was directly
installed. (Some computer makers installed UPnP and
enabled it by default on Me systems.)
The FBI bulletin (available at
http://www.nipc.gov/warnings/advisories/2001/01-030-2.htm
) describes several procedures you can take to disable
UPnP on different flavors of Windows. Fortunately,
there's now a better way.
Security expert Steve Gibson, who's well-known for his
prerelease criticism of several security weaknesses
built into Windows XP, has posted a free tool that
easily disables and re-enables UPnP on any version of
Windows. The tiny (22KB) program -- called UnPlug n'
Pray, another naming variant on the latest security
fiasco -- can be downloaded at
http://www.grc.com/UnPnP/UnPnP.htm .
As Gibson explains it, Universal Plug and Play is not
related to the well-known Plug and Play service, which
allows peripheral devices to be plugged in and removed
without rebooting the PC. UPnP, which makes a device
available to several computers on a network, would
more accurately be called Network Device Setup.
Unfortunately, UPnP essentially allows anyone on the
Internet to pose as a device and gain control of your
system. In addition, some personal firewalls are
vulnerable to UPnP traffic, and most Windows Me
systems on which OEMs enabled UPnP have no firewalls
at all.
I'll discuss next week the scenario of millions of
machines being turned into DDoS attack zombies.
Meanwhile, get Gibson's utility, and pray.