Quote:
|
Originally Posted by Mobious
I guess it would be ok if you didnt enable UPnP on your router...or what ever your gateway is to the internet..
|
If you felt like that was a risk.
It's like anything else. There are specific issues, they get generalized, and then the whole thing gets trashed in the rumor mill. See the below article for some facts.
http://www.sans.org/resources/malwarefaq/win_upnp.php
To compare, ftp has a number of known exploits -- but it's still well used. Apache, even with a long list of vulnerabilities, is the most popular web server around. UPnP has just gotten a bad rap.
UPnP announcements traverse the firewall sometimes because its broadcast on the segment. Your own systems broadcast beyond your gateway (by default), but there is a registry entry that can limit the scope of that (see the DownloadScope mention in the above linked article). Even without that entry, most firewalls will block the next logical step -- which is a connection to whatever it is that is responding (or that you're responding to).
UPnP on the router (or gateway) invites your OS and other UPnP-enabled programs to open the necessary ports to allow <B>incoming</B> traffic. (Some people are under the false impression that if they don't enable UPnP, their programs cannot make an outgoing connection to phone home.)
In my house, where users only have "Limited User" privileges and I install all of the software, I feel that it is safe and easier to run with UPnP open. If I don't trust the OS or program that might open a port, it doesn't get installed.
If I was in the situation where I didn't have that level of control, I would not run with UPnP open.