Hi, The more I look at the security problems in the Universal Plug-and-Play (UPNP) feature of Windows, the more I think it is a big mistake to characterized them as Windows XP problems. It is entirely possible that there are more Windows ME (Millennium Edition) users who are vulnerable to the security hole than XP users. The risk here is that Windows ME users won't get the Microsoft patch because they assume the problems are only for XP given most of the press coverage so far. I believe better advice is that all Windows XP and ME users should either get the Microsoft patch or make sure that UPNP is turned off. Pretty clearly the security problems were introducted when Microsoft starting shipping Windows ME during the summer of 2000: Microsoft Windows Millennium Edition Released to Manufacturing June 19, 2000 http://www.microsoft.com/presspass/press/2000/Jun00/WinMeReleasePR.asp "and the first implementation of Universal Plug and Play technology in a Microsoft product." So the problems with the UPNP server are actually more than a year and half old. More accurately these bugs are Windows ME bugs that have been passed along to Windows XP. I just checked my two XP system at my house and UPNP was not installed on either one of them. One XP system is an OEM version shipped by Compaq. The second XP system was upgraded from Windows 98. On the other hand, my two Windows ME systems both had UPNP enabled. Given my experience, I think it is difficult to say exactly who will be affected by these bugs. Computer makers don't seem to be following the rules for installing UPNP as described by Microsoft in their security bulletin. Richard M. Smith http://www.computerbytesman.com
This archive was generated by hypermail 2b30 : Wed Dec 26 2001 - 18:30:26 PST