Hi Marc, >>> That means, and as I've said to one to many reporters, if you >>> or someone you know is running Windows 98/ME/XP then you/they >>> need to install the patch. But that's not the advice that Microsoft is giving in their security bulletin. This is what it says about patching Windows 98 and ME: "Customers using Windows 98, 98SE or ME should apply the patch if the Universal Plug and Play (UPNP) service is installed and running" The problem here is that Microsoft doesn't explain to customers how to find out if UPNP is installed on their systems or not. Folks are left scratching their head if they need to get the patch. To keep things simple, Microsoft should just be telling everyone to always install the patch on Windows 98/ME/XP. I am sure most users have never heard of UPNP. BTW, another option that the FBI is offering at the www.nipc.gov Web site is to turn off UPNP altogether: Update: "Universal Plug and Play Vulnerabilities" http://www.nipc.gov/warnings/advisories/2001/01-030-2.htm I like this approach a lot because it protects against future UPNP security holes and bad patches like the original 054 UPNP patch for Windows ME. I am confused why Microsoft doesn't include this same information about turning off UPNP in their security bulletin. I am also still wondering why this problem is being characterized as Windows XP bug, when the problem was clearly introduced when Windows ME started shipping in 2000. Even on their home page, Microsoft calls it a Windows XP and UPNP bug without naming Windows ME or 98. I understand that marketing people don't like to talk about old products, but when it comes to security holes, I think they need to make an exception. Richard M. Smith http://www.computerbytesman.com
