Comments on: Tip of the day: It’s OK to enable UPnP

By: Mike

Mike — Fri, 30 Dec 2005 19:14:09 +0000

Steve Gibson is a media gadfly. Evening quoting his errors gives him more attention than he deserves.

By: Kent

Kent — Wed, 31 Dec 1969 17:00:00 +0000

The reason I uninstalled UPnP is that it prevented the icons (and associated programs) in my system tray from loading properly. I googled the problem, found a page describing the same problem and suggesting that removing UPnP would fix it. I removed it, the problem disappeared and (as far as I know) I have not lost any capability that I need.

By: Nicholas

Nicholas — Wed, 31 Dec 1969 17:00:00 +0000

http://www.grcsucks.com

By: Frank Schrader

Frank Schrader — Wed, 31 Dec 1969 17:00:00 +0000

You don’t even need to disable UPnP to solve the missing icon problem in the System tray/Notification area. All you need to do is go to My Network Places and under “Network Tasks” click on the the item that says “Don’t show icons for networked UPnP devices.” That will fix the missing icon problem but still allow UPnP to run.

By: Mark Odell

Mark Odell — Wed, 31 Dec 1969 17:00:00 +0000

Sorry, Ed, but I still haven't seen a compelling reasoned argument in favor of casting aside Windows Best Practices. There may be one; but if so, neither you nor Mr. Mullen have made it yet IMCO. Let's just let computer owners decide for themselves whose argument is stronger, shall we?

By: Ed Bott

Ed Bott — Wed, 31 Dec 1969 17:00:00 +0000

The Steve Gibson article is from 2001. Strip away the hype and alarmism and there’s nothing to it. He calls UPnP “insecure, exploit-prone, andprobably unnecessary.”

* It may have been insecure in 2001; that is not true today. Since December 2001, not a single security flaw has been uncovered that uses UPnP.

* To call UPnP exploit-prone is ludicrous; there are two documented and patched exploits, both of which are from 2001 (MS01-054 and MS01-059). If UPnP is so “exploit-prone,” where are the other exploits?

* “Probably unnecessary”? Again, that may have been true a few months after the release of Windows XP, but since that time there have been many, many hardware and software products that use UPnP. See the links I posted above. I have three hardware products on my network and at least four programs that make good use of UPnP. None of them existed in 2001.

The GRC page has not been substantively updated since early 2002. (I compared the version in the Internet Archive with the current one. The only things that have changed are some links to external articles.) The advice is hopelessly out of date. My advice is up-to-date. If you have any current information, I’d be happy to hear it.

By: Randy Thomas

Randy Thomas — Wed, 31 Dec 1969 17:00:00 +0000

I can’t imagine enabling uPNP on my NAT router/firewall so my Windows PC can open and close ports on it at will. While I do my utmost to practice safe computing, there will come a day when something is going to slip thru and take over my system. Do I really want it to be able to screw over my firewall, too?

Letting uPNP manage your network is like hanging out a sign that says ‘hack me here!’, methinks. No thanks.

By: Ed Bott

Ed Bott — Wed, 31 Dec 1969 17:00:00 +0000

UPnP does not “open and close ports at will.” It listens for specific types of traffic on two specific ports and allows that traffic through if it comes from your network.

As I said in my post, there have been no security issues with UPnP since the original buffer overflow problem was fixed in December 2001. If you know of a single networking expert who has specific details that I’ve overlooked, I’d welcome it.