As Microsoft acknowledged on December 20, the so-called UPnP (Universal Plug and Play) feature in XP allows malicious hackers to send commands across the internet to your PC and "gain complete control over the system". This weakness, which opens any affected machine to Trojan horses that can run DDoS (distributed denial of service) attacks, was quickly dubbed "Plug and Prey".
Despite the issuance of the patch, Microsoft was criticised for taking two months to solve the problem after being informed of it in October by eEye Digital Security, a Californian consulting firm. Furthermore, the patch alone may not be enough to completely protect your system. The National Infrastructure Protection Centre (NIPC) of the US Federal Bureau of Investigation followed Microsoft's announcement with a strong recommendation that users should disable UPnP services, not merely run the patch -- a position eEye reiterates.
Besides XP, the problem also affects Windows 98 and Windows Me systems on which UPnP was directly installed. (Some computer makers installed UPnP and enabled it by default on Me systems.)
The FBI bulletin (available here) describes several procedures you can take to disable UPnP on different flavours of Windows. Fortunately, there's now a better way.
Security expert Steve Gibson, who's well-known for his prerelease criticism of several security weaknesses built into Windows XP, has posted a free tool that easily disables and re-enables UPnP on any version of Windows. The tiny (22KB) program -- called UnPlug n' Pray, another naming variant on the latest security fiasco -- can be downloaded here.
As Gibson explains it, Universal Plug and Play is not related to the well-known Plug and Play service, which allows peripheral devices to be plugged in and removed without rebooting the PC. UPnP, which makes a device available to several computers on a network, would more accurately be called Network Device Setup.
Unfortunately, UPnP essentially allows anyone on the internet to pose as a device and gain control of your system. In addition, some personal firewalls are vulnerable to UPnP traffic, and most Windows Me systems on which OEMs enabled UPnP have no firewalls at all.