On the Windows XP Inside Out forums, a visitor asked: Does anybody know if there are any problems with allowing exceptions in Windows firewall for uPnP?
UPnP is the Universal Plug and Play service. It’s useful and perfectly safe. There was a security problem with UPnP that was discovered several weeks after Windows XP was released, nearly four years ago. That problem was patched in December 2001, and since then there have been no reported security issues with UPnP.
In addition, Windows Firewall only allows traffic on the UPnP ports from your local subnet, not from the Internet at large.
Unfortunately, way back in 2001 several widely read security sites, including the FBI’s National Infrastructure Protection Center (NIPC), posted advisories that recommended disabling UPnP. (The FBI changed that advice within a few days after the Windows XP update was released.) One widely read site even created a tool that disables the UPnP service automatically; that tool is still available for download and I continue to see people advising that it be used. That’s a mistake. The information in those advisories is no longer accurate and that tool is no longer needed.
You should enable UPnP with confidence. It is used by routers and by media sharing devices and home automation products, to name just a few categories of hardware and software.
Ed Bott 
The reason I uninstalled UPnP is that it prevented the icons (and associated programs) in my system tray from loading properly. I googled the problem, found a page describing the same problem and suggesting that removing UPnP would fix it. I removed it, the problem disappeared and (as far as I know) I have not lost any capability that I need.
http://www.grcsucks.com
You don’t even need to disable UPnP to solve the missing icon problem in the System tray/Notification area. All you need to do is go to My Network Places and under “Network Tasks” click on the the item that says “Don’t show icons for networked UPnP devices.” That will fix the missing icon problem but still allow UPnP to run.
Sorry, Ed, but I still haven’t seen a compelling reasoned argument in favor of casting aside Windows Best Practices. There may be one; but if so, neither you nor Mr. Mullen have made it yet IMCO.
Let’s just let computer owners decide for themselves whose argument is stronger, shall we?
The Steve Gibson article is from 2001. Strip away the hype and alarmism and there’s nothing to it. He calls UPnP “insecure, exploit-prone, andprobably unnecessary.”
It may have been insecure in 2001; that is not true today. Since December 2001, not a single security flaw has been uncovered that uses UPnP.
To call UPnP exploit-prone is ludicrous; there are two documented and patched exploits, both of which are from 2001 (MS01-054 and MS01-059). If UPnP is so “exploit-prone,” where are the other exploits?
“Probably unnecessary”? Again, that may have been true a few months after the release of Windows XP, but since that time there have been many, many hardware and software products that use UPnP. See the links I posted above. I have three hardware products on my network and at least four programs that make good use of UPnP. None of them existed in 2001.
The GRC page has not been substantively updated since early 2002. (I compared the version in the Internet Archive with the current one. The only things that have changed are some links to external articles.) The advice is hopelessly out of date. My advice is up-to-date. If you have any current information, I’d be happy to hear it.
I can’t imagine enabling uPNP on my NAT router/firewall so my Windows PC can open and close ports on it at will. While I do my utmost to practice safe computing, there will come a day when something is going to slip thru and take over my system. Do I really want it to be able to screw over my firewall, too?
Letting uPNP manage your network is like hanging out a sign that says ‘hack me here!’, methinks. No thanks.
UPnP does not “open and close ports at will.” It listens for specific types of traffic on two specific ports and allows that traffic through if it comes from your network.
As I said in my post, there have been no security issues with UPnP since the original buffer overflow problem was fixed in December 2001. If you know of a single networking expert who has specific details that I’ve overlooked, I’d welcome it.
Steve Gibson is a media gadfly. Evening quoting his errors gives him more attention than he deserves.