Universal Plug and Play Vulnerabilities Discovered

Microsoft warned users Thursday to a critical vulnerability, the universal plug-and-play services, it may lead to system compromise, several software companies in the client operating system.

Windows XP and in Windows Me are vulnerable because of their native support for Universal Plug and Play (UPnP) service, which will allow computers to discover and use Web-based equipment. Windows Me, but these services are turned off by default. Windows 98 and Windows more affected, because such services in these operating systems can be installed from the Internet Connection Sharing client, ships with Windows XP.

Windows NT Workstation and Windows 2000 Professional Edition are not affected, according to the notice, because they do not support the UPnP.

Two unrelated flaw affects UPnP against by the new patch.

First is the buffer overflow handling components in the provision of e-mail advertisements UPnP-enabled devices on the network.

Second weakness from the Universal Plug and Play the failure to limit measures, the service will be taken to obtain information from a newly discovered device, making the system vulnerable to denial-of-service of the two.

Microsoft pointed out that the standard firewall, such as blocking port from 1900 to 5000, will protect corporate networks from Internet-based attacks. The company also said that the Internet Connection Firewall by default in Windows XP operating makes it harder to attack the use of the method.

This is the 59th security bulletin, Microsoft issued in 2001. Microsoft credited eEye Digital Security on this issue.