What is all the fuss about?
On Thursday, December 20, 2001 Microsoft revealed that the hackers at eEye had discovered multiple critical security flaws in all versions of Windows using Universal Plug and Play:
Quoting from eEye’s press release:
Translating eEye’s and Microsoft’s statements into consequences, this means that without the security update patch, and with the Universal Plug and Play (UPnP) system in its default “enabled” state, any of the many millions of Internet-connected UPnP-equipped Windows systems could be remotely commandeered and forced to download and run any malicious code of a hacker’s design. This includes using the machine to launch potent Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks.
This means that extremely damaging CodeRed and Nimda-style worms can now be written for millions of Windows machines. Whereas the Microsoft IIS server worms of 2001 found and infested ‘only’ several hundred thousand IIS servers, a Windows “Universal Plug and Play” worm would have more than ten million XP systems, in addition to many more Windows 98/ME systems, upon which to prey today.
|How is UnPnP used?
UnPnP’s management of your system’s Universal Plug & Play system is “sticky”. Nothing is installed or left running in your machine, and after its use you can freely delete the utility.
Simply download this small (22k byte) Windows application, then run it to display and optionally alter the current state of your system’s UPnP services. Once this work has been done, everything is set and you no longer need this UnPnP utility. You may wish to keep it around in the event that you need to re-enable your system’s UPnP system someday, but you will always be able to grab a fresh copy from our web site.
If you should ever need to re-enable your system’s UPnP system, simply rerun this UnPlug n’ Play utility.
|What, exactly, does UnPnP do?
Under Windows XP, the Universal Plug & Play system is supported by two service processes, the “SSDP Discovery Service” (SSDPDS) and the “Universal Plug and Play Device Host” (UPNPDH). Although both services are started upon demand, the SSDP service is started when Windows XP is booted. The SSDPDS service is the Internet server component which opens and exposes Windows XP to the global Internet. The UPNPDH service is only started when needed and its operation is dependent upon SSDPDS.
To disable the Universal Plug & Play system: UnPnP first stops the UPNPDH service if it is running, then disables its future operation. After this is done the SSDPDS service is stopped and also disabled. This shuts down Windows XP’s external Internet server to prevent exposure to any presently known or later discovered UPnP vulnerabilities.
|What is “Universal Plug & Play” and why don’t I need it?
Universal Plug & Play is not related to the established Plug & Play hardware standard for PCs. Microsoft presumably adopted the name “Universal Plug & Play” because it is a warm and fuzzy feel-good name. A more descriptive name would have been “Network Plug & Play” since that is exactly what it is.
UPnP is a set of communications protocol standards that allow networked TCP/IP devices to announce their presence to all other devices on the network and to then inter-operate in a flexible and pre-defined fashion. There is nothing wrong with the idea, though even in the absence of security mistakes, it is not difficult to be concerned about the overall security of the system. If you want to learn more, the Universal Plug & Play Forum web site has additional information.
As for why you don’t need it; unless you actually have some UPnP devices on your local network, there is no one for the Windows UPnP system to talk to. It was bizarre and irresponsible for Microsoft to turn every Windows machine into a Universal Plug & Play Internet server, opening every machine to wide ranging Internet exploitation. It is still irresponsible today.
|Will a personal firewall, like ZoneAlarm, protect my system?
If you disable the unnecessary UPnP service you will not be vulnerable to current or future UPnP exploits whether or not you have a personal firewall. Our experiments and independent reports have indicated that some personal firewalls are penetrated by the UPnP service while others are effective in protecting the machine. Our ShieldsUP! Port Probe now checks for the UPnP TCP server running on port 5000. This allows you to determine whether that UPnP port is exposed to the world. However, you should not consider this conclusive since the UPnP protocol also uses UDP datagram messages which ShieldsUP! was not designed to test.
|UnPnP says that UPnP is safely disabled, but my system’s personal firewall keeps reporting UPnP traffic on port 1900.
UnPlug and Pray shuts down the UPnP server services, but it does not prevent Windows or its programs from acting as UPnP clients. Client programs like Windows itself, and later versions of Windows Messenger, periodically search the local network for a UPnP router to control. This network noise is annoying, but it does not mean that Windows’ UPnP server is still active and insecure.
|Will a NAT Router, like a LinkSys, protect my system?
A non-UPnP aware NAT router makes a terrific hardware firewall since it discards unexpected and unsolicited inbound Internet packets. But as routers become UPnP-aware their behavior will need to be carefully scrutinized with regard to Internet pass-through. We can hope that they will offer explicit UPnP security to prevent external traffic from entering the internal network. But in any event, our ShieldsUP! Port Probe can always be used to quickly check your network’s external UPnP profile.
|How can UnPlug n’ Pray be so small? Only 22 kbytes?
I have been programming computers for more than three decades. There’s nothing I love more. You can see this experience and caring in every piece of software I create. I write all of my software in 100% pure assembly language — the raw native language of the Intel microprocessor. I use it because, as the actual language of the system, it requires no inefficient translation from an easier-to-use “high level” language.
Some people develop software because its their job — it’s what they do to survive. I do it for the sheer joy of creating and sharing useful, tight, efficient and effective tools. It is one of my favorite forms of communication.