4 Comments

Summary:

Given the large amount of “feedback” I receive from many venues on why I’m crazy for suggesting that OS X users employ some type of client-side security software, I wanted to point out a very recent exploit that I saw over at Joel Esler’s blog. The […]

Given the large amount of “feedback” I receive from many venues on why I’m crazy for suggesting that OS X users employ some type of client-side security software, I wanted to point out a very recent exploit that I saw over at Joel Esler’s blog. The vulnerability is around the IPv6 networking layer of the underlying BSD operating system. Here’s the code:

ORIGINAL
md = m_pulldown(m, off, sizeof(*ipcomp), NULL);
if (!m) {

WHAT IT SHOULD HAVE BEEN
md = m_pulldown(m, off, sizeof(*ipcomp), NULL);
if (!md) {

A one character difference in source code in an open source component trickled it’s way up to our shiny new operating system.

Anti-virus software won’t help you on this one (and I’m sure someone will point that out and continue to defend the lack of need for client security), but it provides a clear example of how coding errors in the operating system can – and will – be exploited, which is a strong enough reason to put up defenses in other areas. Again, it’s completely based on your risk appetite and there is a contingent of OS X users that swear by the notion of not investing in security until there is overt reason to. This example should prod some of those folks to start thinking more about how vulnerable their invulnerable systems really are.

The problem exists only in the IPv6 networking layer, and – since most folks do not need IPv6 enabled – you can disable IPv6 in each of the network interfaces in your Network System Preferences to give yourself a bit of protection. Here’s an example of that via the Airport configuration panel:

Disable IPv6 in Aiport configuration

Apple should be fixing this in the next security update.

More info on the exploit: Secunia, InformationWeek, digit labs

You’re subscribed! If you like, you can update your settings

  1. So wait, a network problem that no security software would protect against is evidence that people should be slowing down their systems with security software that protects against other, non-existent attack vectors?

  2. Unless you are on an IPv6 network I fail to see how this flaw could be exploited – no need to disable anything. Any home user will be using IPv4 to connect to the Internet so can sleep soundly.

  3. If there was a vulnerability in the IPv4 code somewhere, would you also disable IPv4? There is a good reason IPv6 was created and it’s silly to suggest disabling it for most people, especially since most people don’t understand what IPv6 or IPv4 is.

  4. @Nathaniel: read the article.

    @Paul: Agreed, but you never know what you may run up against with a mobile Mac.

    @Tim: It is only a mitigation step for users that feel they need some way to protect themselves. There are situations where this may be necessary.

Comments have been disabled for this post