Skip to navigation
   
Davey Winder's Blog
RSS

Universal Plug and Hack

By Davey Winder in Editorial

Posted in IBM on April 11, 2007 at 4:35 pm

Permalink | Author Profile

My friends over at the IBM X-Force, the James Bond sounding research and development team that came along as part of the recent Internet Security Systems (ISS) acquisition have informed that they reckon we should be on the alert for a Microsoft Universal Plug and Play flaw to be exploited by the end of the week.

“Due to the ease of exploitation, we are taking this flaw very seriously” says Tom Cross, X-Force Researcher at IBM Internet Security Systems, continuing “however, since the UPnP service is not universally enabled in the corporate environment, it is unlikely that this flaw will result in a worm like Zotob.” The flaw in question allows a remote attacker to send a particular HTTP request to UPnP which will do the old buffer overflow trick and allow arbitrary code execution on the target system.

Of course, the point is that users of UPnP remain exposed unless and until patched, and we all know how slow many organisations are at rolling out such updates. If your security provider has not taken a pre-emptive approach to protecting its users, as IBM ISS has done, then you could be in trouble within a couple of days. My advice? Visit Microsoft and get patched now.

12345
Not yet rated
Loading ... Loading ...

Previous Post | Next Post

 
 
Comments
This article has no comments yet.

Make a comment

* required

* required

We stop spam using reCaptcha.
Type the words below and click Submit Comment.

   
Tag cloud

debian trust fraud carbon copy MSNBC ecommerce hardware BSI rootkits exploit Research data protection Big Brother help migration news size Olympics Twitter Apple Facebook Bill Gates Windows 7 report Trojan payment server network Programming iPhone search IBM Internet remote working hypervisor staffing museum documentation outsourcing Blogging botnet Texting money AMD Microchip stupidity virus scam computing Jesus Phone email Space students surveys Energy Funny Health Yahoo Adobe printing data Silverlight open source gaming compromise avatar holidays hacking e-commerce books banks phishing Deal universe symantec Battery USA security fun policy NASA Project digitise graphics Government remote science statistics Eee PC development hubdub biometrics worm DNS MessageLabs Application sick home web 2.0 fool ID Theft scan The Federation teleworking code MSN man-in-the-middle Google copyright virtual world service Performance computing InfoSec Texas Instruments CAPTCHA IDC Top 500 Gartner payments Steve Jobs mobile shopping Web Development archiving theft malware virtual machine China computer technology spam Finjan Paris Hilton HPC Mobile Phone ISPA NBC linkedin Windows Rant hacker stupid iPhone 3G survey Software Firefox office Hack Business politics ASUS environment Russia IP betting OCR Lotus VM workplace Zango work patch management adware prison Video web Supercomputer economics millions banking SSL XP world of warcraft Linux crime worker chips terrorism Ballmer broadband tech standards dumb storage VPN Microsoft Kill Switch OS social networking Flash Eee Death FBI Vista transactional security privacy BOFH black hat green productivity credit card fraud Mars christmas Rumour Digg Obama xmas SMS second life library MiniBook Noro global scareware
Advertisement

   
Archives

   
Most commented posts

   
Highest Rated Blog Posts

Advertisement
Advertisement