Invalid Universal Plug and Play (UPnP) Request New

A vulnerability exists in the Universal Plug and Play (UPnP) service which could allow a malicious remote or local user to degrade system performance by issuing an invalid UPnP request.

Issue

The Universal Plug and Play (UPnP) service allows computers to discover and use network-based devices. Windows ME and XP include native UPnP services; Windows 98 and 98SE do not include a native UPnP service, but one can be installed via the Internet Connection Sharing client that ships with Windows XP.

A vulnerability results because the UPnP service does not correctly handle certain types of invalid UPnP requests. On Windows 98, 98SE, and ME systems, receiving such a request could cause a variety of effects ranging from slow performance to system failure. On Windows XP, the effect is less serious as the flaw consists of a memory leak. Each time a Windows XP system received such a request, a small amount of system memory would become unavailable; if repeated many times, it could deplete system resources to the point where performance slowed or stopped altogether.

Affected Products

• Microsoft Windows 98, Me and XP

Solution

Users of Windows Me and Windows XP should use the Windows Update feature to install a patch.

Users of Windows 98 and 98SE should download and install this patch.

Further Details

Source: Microsoft Corporation

Reference: Microsoft Corporation

Updated: November 1, 2001

>> Recommended Download - secure your PC from spyware, adware and malware now with Spyware Doctor <<