Saturday, 20 August 2011

Microsoft decides that local attacks do not matter…

A new security vulnerability in Microsoft’s implementation of IPv6 has been released. There is a good report on this here.
 
Right now, I have only seen local DoS attacks from this and no exploit code or conditions, but that is still far from ideal.

The vulnerability is found in Windows 7's handling of IPv6 and has been acknowledged as an issue by Microsoft. They have no plans to actually fix this issue however.

Microsoft have stated that as any exploitation requires local network access, it is less critical.
The Windows 7 remote procedure call (RPC) function has a flaw in how it handles malformed DHCPv6 requests. Basically, old issues are coming back to haunt us as we start to move from IPv4 to IPv6. I am wondering how the PoD attack will progress in IPv6 right now…

This type of thinking is truly short-sighted!
We really need to stop thinking this is ONLY a local network exploitation. There are several reasons for this:

  1. Internal attackers also exist.
  2. Cloud based system place systems directly on the Internet
  3. Home users are often exposed
  4. Attack escalation
Of particular concern is attack escalation. Once an attacker has breached a perimeter, they are going to attack internal systems and increase the reach and expanse of their compromise.

Vulnerabilities such as this one allow attackers to expand the scope of any breach they succeed in achieving. When we allow this type of vulnerability to remain, we all lose.

The attitude of vendors needs to change and it is only through consumer pressure that they will change.

What can we do?
There remain some work-arounds even if Microsoft have dropped the ball and decided that they do not care for the security of their users (SHAME). A couple simple controls are listed below:
  1. If you are not using it, disable it.
  2. Firewall the hosts. This also means local systems inside the network.
It is simple to disable IPv6 and if you are not using this protocol, it is a wise move. To do this, simply bring up your adaptor properties:

We see in the image above in the highlighted regionof the network controls that allows us to change the protocols. Click the "Properties" tab. You need to have local administrator privilages to do this change.

Then un-tick the option for IPv6. This is the line saying “Internet Protocol Version 6”.

For those few people already using IPv6, you need to start thinking of and installing host based firewall controls that stop access to the stack from untrusted systems. RPC is not a friendly protocol that you want all users on the Internet connecting to in any event.

If you are a business domain, then you have the option of pushing these controls to users through Group Policy.

Shame, Microsoft, Shame. I had thought that this attitude was leaving the culture of Microsoft. Again, Shame.
I encourage people to write (email) Microsoft's security team and to tell them just how displeased you are with this lack of concern for your systems security and safety.

No comments: