Blog Post

Remote Denial of Service For OS X (Leopard)

Given the large amount of “feedback” I receive from many venues on why I’m crazy for suggesting that OS X users employ some type of client-side security software, I wanted to point out a very recent exploit that I saw over at Joel Esler’s blog. The vulnerability is around the IPv6 networking layer of the underlying BSD operating system. Here’s the code:

md = m_pulldown(m, off, sizeof(*ipcomp), NULL);
if (!m) {

md = m_pulldown(m, off, sizeof(*ipcomp), NULL);
if (!md) {

A one character difference in source code in an open source component trickled it’s way up to our shiny new operating system.

Anti-virus software won’t help you on this one (and I’m sure someone will point that out and continue to defend the lack of need for client security), but it provides a clear example of how coding errors in the operating system can – and will – be exploited, which is a strong enough reason to put up defenses in other areas. Again, it’s completely based on your risk appetite and there is a contingent of OS X users that swear by the notion of not investing in security until there is overt reason to. This example should prod some of those folks to start thinking more about how vulnerable their invulnerable systems really are.

The problem exists only in the IPv6 networking layer, and – since most folks do not need IPv6 enabled – you can disable IPv6 in each of the network interfaces in your Network System Preferences to give yourself a bit of protection. Here’s an example of that via the Airport configuration panel:

Disable IPv6 in Aiport configuration

Apple should be fixing this in the next security update.

More info on the exploit: Secunia, InformationWeek, digit labs

4 Responses to “Remote Denial of Service For OS X (Leopard)”

  1. @Nathaniel: read the article.

    @Paul: Agreed, but you never know what you may run up against with a mobile Mac.

    @Tim: It is only a mitigation step for users that feel they need some way to protect themselves. There are situations where this may be necessary.

  2. If there was a vulnerability in the IPv4 code somewhere, would you also disable IPv4? There is a good reason IPv6 was created and it’s silly to suggest disabling it for most people, especially since most people don’t understand what IPv6 or IPv4 is.

  3. Unless you are on an IPv6 network I fail to see how this flaw could be exploited – no need to disable anything. Any home user will be using IPv4 to connect to the Internet so can sleep soundly.

  4. Nathaniel

    So wait, a network problem that no security software would protect against is evidence that people should be slowing down their systems with security software that protects against other, non-existent attack vectors?