Ars Technica reports today that UPnP has been approved by the easy to remember ISO/IEC JTC 1 (International Standards Organization/International Electrotechnical Commission Joint Technical Committee 1 in case you were wondering) as an official standard. As part of the article they discuss how Microsoft has addressed some of the “security flaws” that were in the original implementation.
While its good that the security flaws have been patched, I haven’t seen some of my other concerns addressed yet. UPnP makes it easy for applications to set themselves up for Internet access, but this facility is available for all applications, bad and good. If malicious code makes it onto your computer, a router will not necessarily stop it getting out to the Internet. Whether this is spy-ware reporting back, or a trojan setting itself up to communicate with its swarm.
I expect that most of the GNC readers are like myself, and have enough IP experience to get by with UPnP disabled. But when I have helped relatives and friends set up their systems, I have always had to weigh up the possibility of hostile programs accessing the Net, with the number of ‘support calls’ I would get if I disabled UPnP.
I don’t necessarily object to UPnP becoming a standard. Especially if that means it will be more open to collaborative development. What I hope is that some focus goes into making it more secure without compromising the usability. If it is a standard, there could therefore be a standard challenge/response routine, so there is at least a warning if something is trying to open a port. I am sure that there is probably more security on UPnP in Vista, but you know my feelings on that.