Microsoft Pushes Patch for UPnP Security Flaw
Microsoft on Thursday issued a stern security warning, advising all users of Windows 9x, Me and XP to apply a patch for the Universal Plug and Play service if active. Two vulnerabilities have been discovered by eEye Digital Security in the service, which allows computers to discover and use network-based devices. Most dangerous to client machines running Windows XP, a buffer overrun vulnerability makes it possible for an attacker to gain complete control over an affected system.
According to Microsoft, "There is an unchecked buffer in one of the components that handle NOTIFY directives – messages that advertise the availability of UPnP-capable devices on the network. By sending a specially malformed NOTIFY directive, it would be possible for an attacker to cause code to run in the context of the UPnP service, which runs with System privileges on Windows XP. (On Windows 98 and Windows ME, all code executes as part of the operating system)."
A second vulnerability exists because UPnP does not limit the NOTIFY messages it accepts. If a server were configured to send a request to download a new device back to the client, the UPnP service could potentially become stuck in an endless loop. Moreover, "an attacker could specify a third-party server as the host for the device description in the NOTIFY directive. If enough machines responded to the directive, it could have the effect of flooding the third-party server with bogus requests, in a distributed denial of service attack."
Microsoft has established a security bulletin for the problem and has issued a patch for download. All customers running Windows XP should apply the patch immediately. Those running Windows 98, 98SE, or Me should also apply the patch if UPnP is installed. For more information and to download the fix, visit Microsoft TechNet.