Rixstep
 About | ACP | Buy | Industry Watch | Learning Curve | News | Products | Search | Substack
Home » Industry Watch

UPnP IGD: Disabled

Apple address security exploit by turning things off.

Possibly in response to the stir caused by the phantom security blog 'Infosec Sellout' Apple have in their 31 July security update disabled their Universal Plug and Play Internet Gateway Device aka UPnP IGD.


Get It

Try It

No information is available about Apple's intentions - whether the move is temporary or permanent.

  • mDNSResponder

    CVE-ID: CVE-2007-3744

    Available for: Mac OS X v10.4.10, Mac OS X Server v10.4.10

    Impact: An attacker on the local network may be able to cause a denial of service or arbitrary code execution

    Description: A buffer overflow vulnerability exists in the UPnP IGD (Internet Gateway Device Standardized Device Control Protocol) code used to create Port Mappings on home NAT gateways in the Mac OS X implementation of mDNSResponder. By sending a maliciously crafted packet, an attacker on the local network can trigger the overflow which may lead to an unexpected application termination or arbitrary code execution.

    This update addresses the issue by removing UPnP IGD support.

Reserved CVE

MITRE's listing for the vulnerability is empty. No information is available about who registered the CVE or about what it relates to. An exploit appearing at SecurityFocus also claimed a vulnerability but offered neither further information nor workaround.

NameCVE-2007-3744 (under review)
StatusCandidate
Description** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.
PhaseAssigned (20070712)

The Cat Tripped

Apple's multicast DNS - of which UPnP IGD is a part - is in turn part and parcel of Apple's Bonjour - aka Rendevous aka Zeroconf - and was created by Stuart Cheshire while working at Apple as a 'wizard without portfolio'. Cheshire had previously created Bolo, a 1987 network 'tank' game for the BBC Micro computer later ported to the Apple Macintosh.

Cheshire is coauthor with Daniel Steinberg of Zero Configuration Networking: The Definitive Guide.

See Also
Sûnnet Beskerming: Worm Threat Forces Apple to Disable Software?

About | Buy the Software | Forum | Industry Watch | Learning Curve | Newsletters | Products
Copyright © Rixstep. All rights reserved.