XP Universal Plug and Play

- At one point even the FBI were recommending that Windows XP users disable the Universal Plug And Play service on their machines!

You may remember the "Code Red" virus that spread around servers the world over? This virus was able to spread due to a similar type of vulnerability that Universal Plug And Play has. That virus caused millions of pounds worth of damage..... It would now be possible to exploit such an attack on the millions of Windows XP users worldwide. This is a serious issue indeed and one that "ordinary" folk should take notice of, NOT just the "techies".

We live in an ever more inter-connected world. The Internet has given us the ability to do things that just a decade ago we could only dream of. However, the computers and their operating systems that connect to this global network are only just maturing. For instance Windows XP is the first Windows operating system to include Firewall capabilities... yet we have been using previous versions of Windows software to connect to the Internet for at least 6 years before that - and most of those PC's would NOT have had ANY firewall protection at all.


So What Is The Problem...?

The Universal Plug And Play service has TWO security issues. Both were unrelated to each other but Both were to do with how Universal Plug And Play capable PC's handle the discovery of new devices on a network - including the Internet.

The first problem is a buffer over run vulnerability. There is an unchecked buffer in one of the components that handles messages that advertise the availability of Universal Plug And Play capable devices on a network. An attacker could gain access to your COMPLETE SYSTEM via the Universal Plug And Play subsystem because this has full system privileges under Windows XP...

The second problem is the lack of limitation in how UPnP obtains information from remote devices. This fault can lead to two different denial of service (DoS) attacks on a users machine.

So I think you would agree that you MUST do something about it...

Microsoft have issued a security bulletin MS01-059 that explains in great depth about the issues and what you can do about it. Also, if you have applied SP1 to your machine. Microsoft claim you should now be "patched" against the problem. However, this issue is to important to rely on Microsoft's patches and there are even reports on subsequent updates to SP1 undoing the original patch!

So the DIY solution is to:

Disable the service on your own machine

OR, Check it has already been disabled.


To do this you need to be logged into Windows XP with admin rights.

1. Go to Run on the Start Menu and type cmd.exe (Figure 1)


(Figure 1)

2. At the command prompt type netstat -an (Figure 2)

(Figure 2)

Here we see a system that is wide open to the world on TCP Port number 5000 and accepting UDP Port 1900 is accepting inbound datagrams. This is a VERY insecure state to be in. You can remove this threat by disabling the "SSDP Discovery Service", on doing this the "Universal Plug and Play Device Host" process will also be disabled and so both ports will be closed.

You do not need these open unless you are using UPnP services on your network (and the vast majority of you will not be), in which case both the services we will be closing can be started again with minimal fuss.


Figure 3 shows a system that has the SSDP Discovery Service disabled and the service stopped.

3. To disable the service yourself go to the Start Menu and select Run. Type services.msc A new window should appear listing all the services on your machine. Highlight the service called SSDP Discovery Service. (Figure 4)



(Figure 4)

4. Right Click on the service and you will be presented with the following dialog box: (Figure 5)

 6. The SSDP Discovery Service should be set to Disabled under Start up Type. Yours will be currently Manual or Automatic. Then Stop the service by clicking the Stop button as displayed in Figure 5. Now hit the Apply button and close the Dialogue box by clicking OK.

On clicking the Stop the service status button - another dialog box will appear! This is OK as the Universal Plug and Play Service is dependent on the SSDP Discovery Service - so when you disable it, the Universal Plug and Play Service is stopped as well...

This is EXACTLY what you want to do!

The reason for this is the SSDP Discovery Service is an Internet Server component which opens and exposes your Windows XP machine to the GLOBAL Internet! You may read some misinformed articles on the Internet that tell you by disabling the Universal Plug and Play Service that you are OK.

Sadly this is NOT the case.... The correct action is to Stop and Disable the SSDP Discovery Service.

By doing this you are closing any currently known and possible future UPnP vulnerabilities. There is no need to try and disable the Universal Plug and Play Service as it CAN NOT run without the SSDP Discovery Service running! If you do try and run the Universal Plug and Play Service from the Services Panel, you will get the standard "Error 1068 - This dependency service or group failed to start."

Frequently Asked UPnP Questions...

Can I reverse this process if I need to?

Yes. The Disabling of these services is totally reversible. If you need to use UPnP on your machine in the future, then simply set the SSDP Discovery Service to Manual, then Restart the service. Then Restart the Universal Plug and Play Service again.

Will disabling these services upset my machine?

No. By Disabling the SSDP Discovery Service you will not interfere with the running of your machine as it is ONLY requires for UPnP.

I Still get UDP Port Messages From My Firewall.

After disabling the UPnP service you may still get messages informing you that there is traffic on UDP port 1900. This is because Windows UPnP enabled software, such as Microsoft Messenger, will periodically check for the presence of a UPnP gateway/router. You can ignore these messages.

I Use a NAT Router - Am I At Risk?

Hardware NAT routers that connect you to the Internet are excellent at preventing unsolicited "packets" from entering you network. However most manufacturers are going to make these NAT Routers UPnP capable. This will give you enhanced functionality with NAT, however the UPnP security that these devices is going to need monitoring in the future. Hopefully we shall end up with more secure devices in the wake of Windows XP's UPnP vulnerabilities.

I Use Windows 98, Am I At Risk Of UPnP Security?

You could be. Windows 98 or 98SE does not come with Universal Plug And Play. BUT, if a Windows 98or 98SE machine has been setup using the Internet Connection Sharing Client from Windows XP, then yes you could be at risk. However if the Windows XP machine was "patched" prior to installing the Internet Connection Sharing client on the Windows 98 or 98SE machine then you should be OK. I would however want to confirm this is the case if I were you.

What About Windows ME?

Windows ME does have Universal Plug And Play (UPnP) installed but unlike Windows XP it is NOT running by default. You have to turn it on yourself. However, there have been a few cases where OEM's have configured pre-built systems with the UPnP service switched on - So always check to see if this is the case for you.

I Am Using ICS And Do Not Want To Disable UPnP.

When using Internet Connection Sharing (ICS) on a home network the "main" PC acts as an Internet Gateway. This gateway will not forward on the harmful "packets" to any other machine sharing the Internet connection. The "main" PC however is at risk. Many folks think that the Windows XP Internet Connection Firewall (ICF), that is enabled when you use the Network Wizard to setup Internet Connection Sharing, will fully protect them. This is NOT the case. It does offer very good protection but doe not block all "broadcasts" to your network! Also ICF is NOT enabled by default if you setup your network sharing configuration manually.

Is Manually Disabling UPnP Better Than The Official Patch?

No. I fully recommend you install the Microsoft official patch for this security issue. The patch from Microsoft, amongst other things, modifies one of the UPnP components as to limit the capabilities of a remote Denial of Service attack scenario. This is something you can not do manually!

What I am saying is that you have a choice. If you have not installed SP1 or the patch individually then you can manually disable the UPnP service as you are probably not going to require it. Also, you will want to periodically check the service is disabled after running patches from Microsoft. This article shows you how.

In Closing...

Microsoft make some great software. This article is NOT intended as a way of me "having a go" at Microsoft.... Over the last year Microsoft have been making real efforts with security.

However, I really do believe that Microsoft SHOULD NOT have left the UPnP services running by default on Windows XP machines. So let me repeat in closing, if you DO NOT need Universal Plug And Play your home network, or stand alone home PC then DISABLE Universal Plug And Play - today! - 23rd June 2003