Yet another Security Flaw in Windows, this time with networking

[eidairaman1]

David Plummer, retired MS Windows Dev goes over a serious security flaw within Windows networking, When he mentions something like this, it is serious and should be dealt with swiftly. Watch his video it deals with ipv6.

 

[R-T-B]

I've already patched for this... but this is the bug that's going to kill windows 7 holdouts, for sure. There will be no patch there.

 

[eidairaman1]

I've already patched for this... but this is the bug that's going to kill windows 7 holdouts, for sure. There will be no patch there.

ESA updates or kill off ipv6

 

[Caring1]

I'm just watching this and came to post the same video.
You saved me the trouble.

 

[phanbuey]

this guy has some quality videos -- love his content.

 

[thesmokingman]

Holy Carp man, zero click attack vector!

 

[Arctucas]

So, if I have disabled IPV6...?

 

[_JP_]

So, if I have disabled IPV6...?

It's a mitigation, while you don't have services that depend on it.

I've already patched for this... but this is the bug that's going to kill windows 7 holdouts, for sure. There will be no patch there.

Technically, it will be the mercy shot from Vista & 2008 until 10 & 2019, unless they stick to IPv4.

 

[Bill_Bright]

If you are not sure of the status of your IPv6, or just want to verify if disabled or not, see this: Test your IPv6. (test-ipv6.com)

 

[chrcoluk]

David Plummer, retired MS Windows Dev goes over a serious security flaw within Windows networking, When he mentions something like this, it is serious and should be dealt with swiftly. Watch his video it deals with ipv6.

Skip to 4:30 to save some time.

 

[unwind-protect]

From strictly a practicality standpoint, having IPV6 enabled opens up a huge attack surface. Complex software, all in the kernel, and by definition reachable from the network.

 

[R-T-B]

From strictly a practicality standpoint, having IPV6 enabled opens up a huge attack surface. Complex software, all in the kernel, and by definition reachable from the network.

Yes, but its also necessary for a lot of the modern internet, and will be more everyday as we grow, so...

Honestly despite its complexity the stacks have proven remarkably robust. This is the first true ipv6 attack in quite a while.

 

[Bill_Bright]

and will be more everyday as we grow, so...

I agree but I think it will be some time before it comes down to private users at home. Even large businesses use NAT so 254 users (or is it 255?) can share the same IP addressed assigned by the ISP. And even then there are ways for larger corporations to get around that limit.

In any case I hope all the known issues with IPv6 are addressed by then. It is the unknown (to the good guys) vulnerabilities I worry about.

 

[R-T-B]

I agree but I think it will be some time before it comes down to private users at home.

We are already using CGNAT on several big isps bill. Like it or not, if you want any degree of access to your local ports, IPv4 is on the verge of breaking.

 

[Bill_Bright]

We are already using CGNAT on several big isps bill. Like it or not, if you want any degree of access to your local ports, IPv4 is on the verge of breaking.

"On the verge", maybe. But we are not there yet. And much of that is due to what you just noted - many ISPs are using CGNAT allowing entire neighborhoods to share a single IPv4 address.

There are still many unused IPv4 addresses. The top-level holders of those just need to give them up.

IP address exhaustion is not something that just popped up unexpectedly. They've had plenty of time to sort out the alternatives. I am not worried - at least not yet.

 

[R-T-B]

many ISPs are using CGNAT allowing entire neighborhoods to share a single IPv4 address.

This is fine if you don't ever want to do anything involving ports ever.

For many, that is very much not fine.

IP address exhaustion is not something that just popped up unexpectedly. They've had plenty of time to sort out the alternatives.

Bill, the alternative for years has been one and the same: IPv6, or a subpar experience for a lot of services. IPv6 RFC was proposed in 2000 so its not exactly a novel new thing.

There are still many unused IPv4 addresses.

Actually, no. Exhaustion was hit YEARS ago, actually over a decade ago for many providers. We are full on recycling addresses from clients that just released them now.

Some reading: https://en.m.wikipedia.org/wiki/IPv4_address_exhaustion

No it's NOT a panic situation but thats entirely because ipv6 deployment is happening actively.

 

[Bill_Bright]

Actually, no. Exhaustion was hit YEARS ago

Too bad you only quoted half my statement. The second half put the first into context.

What I said was,

There are still many unused IPv4 addresses. The top-level holders of those just need to give them up.

And did you read your own reference? I did! And that was before you posted your link to it.

Yes, all the IP addresses have been "handed out". But "exhausted" does not mean used up. As I noted and as your reference notes, there are still many unused. Your own reference points out that ISPs still have pools of unassigned IP addresses. And they have many no longer in use they can recycle.

And if you scroll down to "Reclamation of unused IPv4 space", note it says,

IP address blocks have been allocated to entities that no longer exist and some allocated IP address blocks or large portions of them have never been used.

I am NOT minimizing the problem. It definitely is a huge problem. But the fear and panic you pose, while looming, is just is not upon us - yet.

 

[R-T-B]

But the fear and panic you pose, while looming, is just is not upon us - yet.

What fear and panic? We've had ipv6 since 2000, we'll be fine.

And did you read your own reference? I did!

Of course I read it. I read it before we even had this discussion. I'm not going further into semantics about what constitutes recycling, ok?

 

[P4-630]

Yet another Security Flaw in Windows, this time with networking

I didn´t watch the video but I didn´t read/hear about any windows networking security flaw on the news online or on TV...

It´s not that serious then probably.

 

[Bill_Bright]

Semantics over recycling? Not sure there are any. Recycling IPs simply means (at least to me - maybe I'm wrong) to assign an IP address that was previously used, but is no longer, to a different user.

This is similar to how old, no longer used phone numbers are often reassigned to new customers.

We've had ipv6 since 2000, we'll be fine.

I agree. I am just saying IPv4 is not dead yet.

 

[R-T-B]

I didn´t watch the video but I didn´t read/hear about any windows networking security flaw on the news online or on TV...

It´s not that serious then probably.

Severtity rating of Critical... "not that serious." God god man, this is the worst zero day in some time if you have ipv6 service online.

Some reading.

Security Update Guide - Microsoft Security Response Center

msrc.microsoft.com

 

[P4-630]

Don´t see it in the TPU news.

 

[avidgamer121]

too bad, despite having decently fast internet with fiber, i still do not have the privilege of ipv6 and i asked them about when they were new (in my area 8 years ago) and still haven't given a thought of implementing, being a local broadband provider with services available in select areas of our city and even bigger weight on their shoulder they are just resellers so they have zero control of certain policies and stuff. Though in this regard it's a blessing in disguise for me especially since i use a custom iso based windows which has all bloatware and many unnecessary features removed.

 

[mechtech]

If you are not sure of the status of your IPv6, or just want to verify if disabled or not, see this: Test your IPv6. (test-ipv6.com)

thanks

 

[chrcoluk]

I didn´t watch the video but I didn´t read/hear about any windows networking security flaw on the news online or on TV...

It´s not that serious then probably.

I remember back in the XP days, watched a friend install XP which had a ISP modem directly hooked up to it, and within a few seconds of booting, it was owned, The days of getting exploited with no user input whatsoever, those kind of exploits is what got me into integrating updates on to install media.

This network exploit is potentially capable of that kind of thing happening, its a very different story to most of the exploits which require some operator stupidity.