CRIME NIPC Advisory 01-030.3 Update "Universal Plug and Play Vulnerabilities"

From: Goerling, Richard J. LT (TAD to CGIC Portland) (RIGoerling@private)
Date: Thu Jan 03 2002 - 08:43:53 PST

Next message: George Heuston: "CRIME FW: NIPC Daily Report, 3 January 2002"

Previous message: BAIRD Dion E * DAS DOIT: "CRIME FTP File Solution"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----Original Message-----
From: NIPC Watch [mailto:nipc.watch@private]
Sent: Thursday, January 03, 2002 8:26 AM
To: Daily Distribution; tstultler@private; ansir@private; dreiff@private
Subject: NIPC Advisory 01-030.3 Update "Universal Plug and Play
Vulnerabilities"

National Infrastructure Protection Center
Update "Universal Plug and Play Vulnerabilities"
ADVISORY 01-030.3
January 03, 2002

This advisory updates NIPC Advisory 01-030 regarding what Microsoft 
refers to as critical vulnerabilities in the Universal Plug and Play 
(UPnP) service in Windows XP, Millennium Edition (ME), and Windows 98 or 
98SE systems. These vulnerabilities could lead to denial of service 
attacks and separately to system compromises. Since the discovery of 
these vulnerabilities by eEye Digital Security, Microsoft Corporation 
has released a software patch and a detailed security bulletin regarding 
the problem, instructions for installing the patch as well as 
instructions to disable the UPnP service if patch installation is 
impracticable. Based upon a careful review of the written technical 
materials provided by Microsoft Corporation and in agreement with CERT 
Coordination Center (CERT/CC) at Carnegie Mellon University, NIPC 
recommends that affected users install the Microsoft patch. Although 
neither NIPC nor CERT/CC has actually laboratory tested the patch, we 
are satisfied that it corrects the problem that could lead to system 
compromise and affords substantial and adequate protection from the UPnP 
vulnerability that could lead to denial of service attacks.

Microsoft Corporation and CERT/CC substantially contributed to this 
advisory through their close cooperation throughout the recent holiday 
period. The software patch and latest version of the Microsoft Security 
Bulletin (updated on 31 December) is available at:

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/
bulletin/MS01-059.asp 

Systems Affected:

_ Windows XP installs and runs UPnP by default.
_ Windows ME provides native support for UPnP, but it is neither 
installed nor running by default.
_ Windows 98 and 98SE only use UPnP when specifically installed by the 
Internet Connection Sharing program.

The NIPC encourages recipients of this alert to report computer 
intrusions to their local FBI office 
http://www.fbi.gov/contact/fo/fo.htm or the NIPC, and to other 
appropriate authorities. Recipients may report incidents online at 
http://www.nipc.gov/incident/cirr.htm, and can reach the NIPC Watch and 
Warning Unit at (202) 323-3205, 1-888-585-9078 or nipc.watch@private

Next message: George Heuston: "CRIME FW: NIPC Daily Report, 3 January 2002"
Previous message: BAIRD Dion E * DAS DOIT: "CRIME FTP File Solution"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sun May 26 2002 - 11:38:14 PDT