23 August, 2006

D-Link Router Vulnerability and UPnP

eEye Digital Research notified D-Link in February of a flaw in their firmware in several of their routers. After six months of not correcting, eEye has notified the rest of us. If you have one of these routers, you may want to put some pressure on D-Link to correct this bug. In the mean time, if you turn of Universal Plug-n-Play (UPnP), it will prevent the problem. For that matter, you may want to turn off UPnP whether you have this router or not.

UPnP was designed to make it easy for non-technical types to get their router properly configured by software. The problem is that when enabled, any malware running on your PC could change your router settings without you knowing. Steve Gibson and Leo Laporte first discussed the dangers of UPnP in Episode 3 of Security Now in September 2005.

Why then do we have UPnP? Microsoft has an article that talks about all the benefits to UPnP here. Regardless of the benefits, turn it off -- Learn to make the manual changes required, so you fully understand the implications, or do not compromise your security.

No comments: