![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
A flash of evil / GIP
2008-01-16 03:18 pmThis article in InfoWorld points to a particularly disturbing article and accompanying FAQ:
Turn off UPnP on any device where it's not absolutely essential. The article says, "Users could avoid this attack by turning UPnP off on their routers, where it is normally enabled by default, but this would cause a variety of popular applications, such as IM software, games, and Skype, to break and require manual configuration on the router", but it's not as bad as all that. Skype, IM, and games work perfectly well on my kids' Windows boxes, and my router is a Linux box without UPnP.
Not surprisingly, Microsoft is a major promoter of UPnP -- it stands for "Universal Plug and Play" and, like so many "features" from Microsoft, it's supposed to make things easier for their users. If they made cars, they'd all have the same key because somebody with two cars might get them mixed up.
Gratuitous Icon Post: The icon comes from the print I bought recently from![[livejournal.com profile]](https://www.dreamwidth.org/img/external/lj-userinfo.gif)
ohiblather's shop on deviantART.
The code, published over the weekend by researchers Adrian Pastor and Petko Petkov, exploits features in two technologies: The UPnP (Universal Plug and Play) protocol, which is used by many operating systems to make it easier for them to work with devices on a network, and Adobe Systems' Flash multimedia software.The InfoWorld article's title is "Flash attack could take over your router", but it's really much more general than that: a maliciously-crafted flash movie could theoretically take over any UPnP device as long as it could guess its local IP address. Routers just happen to be ubiquitous, and come with only a limited number of default setups.
By tricking a victim into viewing a malicious Flash file, an attacker could use UPnP to change the primary DNS server used by the router to find other computers on the Internet. This would give the attacker a virtually undetectable way to redirect the victim to fake Web sites. For example, a victim with a compromised router could be taken to the attacker's Web server, even if he typed Citibank.com directly into the Web browser navigation bar.
Turn off UPnP on any device where it's not absolutely essential. The article says, "Users could avoid this attack by turning UPnP off on their routers, where it is normally enabled by default, but this would cause a variety of popular applications, such as IM software, games, and Skype, to break and require manual configuration on the router", but it's not as bad as all that. Skype, IM, and games work perfectly well on my kids' Windows boxes, and my router is a Linux box without UPnP.
Not surprisingly, Microsoft is a major promoter of UPnP -- it stands for "Universal Plug and Play" and, like so many "features" from Microsoft, it's supposed to make things easier for their users. If they made cars, they'd all have the same key because somebody with two cars might get them mixed up.
Gratuitous Icon Post: The icon comes from the print I bought recently from
ohiblather's shop on deviantART.