The CVE has been discovered by a security researcher/firm, rather than being found in the wild. Without technical details or a PoC being publiclya available, I doubt this will amount to more than just another starting point for someone to developer a new exploit. In a year or so it might show up in your Metasploit bundle.
Yes, it's sometimes hard to keep in mind that vulnerabilities don't just materialze into existence when they're first publicized. It's a differnt picture, everyone is vulnerable all the time.
I don't think that is a realistic conclusion. If one group found it, we can assume that there exists at least one other group that is capable of finding. It therefore is not unrealistic to believe this has seen limited exploitation by sufficiently motivated actors.
That’s definitely not the norm. IPv6 is enabled by default and it’s not recommended to disable it. Only really locked down places that are ignoring recommendations would have it disabled.
Whether it’s exposed to the Internet is another question, but pretty much everyone has a firewall to at least stop passive scans.
> Every Windows-based business LAN or industrial machine I know still has IPv6 disabled.
Which is against Microsoft's recommendations:
> Internet Protocol version 6 (IPv6) is a mandatory part of Windows Vista and Windows Server 2008 and newer versions. We do not recommend that you disable IPv6 or its components. If you do, some Windows components may not function.
IPv6 actually disabled or meerly inactive because there's no router advertisements on the LAN?
I suspect more of the second than the first. If it's just inactive, a compromised host can often broadcast a router advertisement or perhaps use local net addresses to compromise other hosts. A well prepared network would block ipv6 traffic on their switches, it they don't want it, but that's a big investment in capable switches.
> You cannot completely disable IPv6 as IPv6 is used internally on the system for many TCPIP tasks. For example, you will still be able to run ping ::1 after configuring this setting.
I'd be concerned their workaround is just limiting it into a local vulnerability that spyware, etc will abuse on all the systems that end up not patched because they used the workaround..
I mean 'disabled in network adapter connection properties'. If you're already using IPv4 there's no reason for the extra complications of leaving IPv6 enabled.
> If you're already using IPv4 there's no reason for the extra complications of leaving IPv6 enabled.
That’s just flat out wrong. No pure IPv6 deployments exist on endpoints in practice. Only in internal networks. You either run pure v4, or dual stacked v4+v6.
IPv6 is gaining some pretty solid adoption these days, but it’s not there yet. Disabling it is holding back the deployment of it, and is a problem by itself.
Yep, tons of them were working more than fine in noscript/basic (x)html.
This is just some big tech-cracy abusing the script kiddy who is in all of us, poisoning us with massive kludges which obsviously only them could maintain and control, using it as trojan horse for all their toxic tech.
If a website can't manage to at least display text and images without needing JS it's just bad design. Good design degrades gracefully and prioritizes making the essential data accessible to as many people as possible
thinking that including 3 trillion billion js libraries is necessary to put some text out there in a nice way is also pretty delusional, yet here we are
IPv6 was introduced in XP, so it's probably safe to assume vulnerability there as well. They don't provide updates pre-2008 anyway, so we'll never know until a PoC comes out for testing. Disable IPv6 just in case you do have one of those antiques connected to a network.
Turns out you're right, thanks for the correction! It's been so incredibly long since I used XP that I forgot it does need to be installed. It was introduced as a default in Server 2008 & Vista per https://learn.microsoft.com/en-us/troubleshoot/windows-serve...
Isn't that number largely driven by the adoption of mobile phones, on their own cellular networks? Which wouldn't necessarily correlate with IPv6 access from Windows machines in particular.
Unfortunately, disabling IPv4 is not a viable option, unless you run IPv4 literal address translation layer (464XLAT on the server side and CLAT on the clients). Many sites still do not support IPv6, which is a great shame, but slowly but surely we’re getting there.
I tried 464XLAT on my home network, for the most part it worked flawlessy, aside from some IoT devices that don’t support v6 at all or are not LAT aware. So dual stack it is.
As I said, really not that many, to a point I was about to turn off IPv4.
Ofc, it depends on your usage.
But what's very surprising are those Big Tech sites, with billions of $ and still IPv4 only, like msft github (and github has still its core functions working with noscript/basic (x)html browsers).
What is really bothering me is the admin of the mail server of my medical insurance company: IPv4... but that's not what is the most annoying, the most annoying: it is not white listing its client SMTP servers/client emails... this is another level of bad.
Yay. :p