😏🐧
All Windows users should immediately update their computers. An exploit rated 9.8/10 (CVE-2024-38063) compromises all devices running Windows with an IPv6 address.
Submitted 4 weeks ago by hal_5700X@sh.itjust.works to technology@lemmy.world
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2024-38063
Comments
tabular@lemmy.world 4 weeks ago
tpihkal@lemmy.world 4 weeks ago
Just say you run Arch and move on.
kescusay@lemmy.world 4 weeks ago
You run Arch and move on.
(Am I doing this right?)
mesamunefire@lemmy.world 4 weeks ago
People always talk about Arch. I wonder what people think of other oses and the people who run them lol. Like I’m a bearded Debian user (closer to the look of the Dilbert comic unix guy).
tabular@lemmy.world 4 weeks ago
🐧🌿 (♏)
octopus_ink@lemmy.ml 4 weeks ago
Just say you run Arch and move on.
You run Arch and move on.
Lost_My_Mind@lemmy.world 4 weeks ago
I thought he was saying he’s sexually attracted to punguins…
transistor@lemdro.id 4 weeks ago
I run Arch and since then moved on.
FreshLight@sh.itjust.works 4 weeks ago
Still waiting for a distro named “Arch btw”
aStonedSanta@lemm.ee 4 weeks ago
Cachy me outside. I’ll run arch over you.
narc0tic_bird@lemm.ee 4 weeks ago
I like Linux, but it can have security issues just as well.
tabular@lemmy.world 4 weeks ago
Sure can. Just more eyeballs it, who are from from 3rd parties.
Evil_Shrubbery@lemm.ee 4 weeks ago
If Linux is so great, then explain why I can’t even install this latest security patch for Windows on my Tumbleweed??
tabular@lemmy.world 4 weeks ago
You need to sudo zyyper install win_patch
M0oP0o@mander.xyz 4 weeks ago
“Compromises all devices running … an IPv6 address.”
Oh so no one is effected. (other then network nerds, and they are not real)
froh42@lemmy.world 4 weeks ago
IPV6 is already rolled out in parts of the world. My provider has a Dual Stack lite architecture, the home connection is over IPV6, IPV4 is normally being tunneled through a provider grade NAT.
As I AM a network nerd, I pay for a dedicated IPV4 address every month, so I can reach my stuff from outside from old IPV4 only networks.
turkalino@lemmy.yachts 4 weeks ago
Why not instead use the money to pay for a domain name and use a router with a dynamic DNS daemon?
primrosepathspeedrun@lemmy.world 4 weeks ago
they certainly don’t run windows.
hal_5700X@sh.itjust.works 4 weeks ago
IPv6 is enabled by default on windows.
echodot@feddit.uk 4 weeks ago
I’ve just queried it my IP is V4 so presumably I’m fine.
Scrollone@feddit.it 4 weeks ago
Unfortunately (or fortunately, it depends on how you see it), some providers are already on IPv6. My Italian ISP has IPv6 with CGNAT, so all its users are on IPv6 without even knowing what it is.
M0oP0o@mander.xyz 4 weeks ago
Dang Italian network nerds! That will teach them for believing in a better tech future.
TransplantedSconie@lemm.ee 4 weeks ago
Is this for Windows 11?
My windows XP laptop is good right?
treadful@lemmy.zip 4 weeks ago
Our windows XP laptop
Lost_My_Mind@lemmy.world 4 weeks ago
Can’t tell if you’re russian, or room mates.
huquad@lemmy.ml 4 weeks ago
IPv6 huh? There are dozens of us!
bruhduh@lemmy.world 4 weeks ago
Yay, new Xbox jailbreak method, can’t wait for new modded warfare videos about it
MazonnaCara89@lemmy.ml 4 weeks ago
ReginaPhalange@lemmy.world 4 weeks ago
Serious question - I haven’t touched my Xbox one for about 4 years , it wasn’t powered and wasn’t connected to the internet - I would love to jailbreak it and run Linux on it. Can it be done?
bruhduh@lemmy.world 4 weeks ago
About Linux, it’s not yet feasible, probably soon, right now Xbox one/series jailbreak scene is only making first steps with dumping of games and launching roms and emulators without dev mode
jordanlund@lemmy.world 4 weeks ago
Well, not ALL Windows machines…
“Systems are not affected if IPv6 is disabled on the target machine.”
I can’t remember the last time I saw an IPv6 machine…
AProfessional@lemmy.world 4 weeks ago
It is on by default in Windows… More likely people have routers with it disabled.
RisingSwell@lemmy.dbzer0.com 4 weeks ago
Definitely on by default on my laptop
Appoxo@lemmy.dbzer0.com 4 weeks ago
And disabling it fucks with Windows AD.
cbarrick@lemmy.world 4 weeks ago
Where I work, everything is on IPv6. Both the infrastructure for the software services that we run, and our own internal corporate network.
My ISP also provides publicly routable IPv6 prefixes over DHCP. Any layman in my city with this ISP will be on IPv6 by default.
I also use IPv6 for my LAN.
Like, it’s just kind of the default in my neck of the woods…
Trainguyrom@reddthat.com 4 weeks ago
I have two different ISPs offering gigabit fiber to the home, neither offers IPv6 at all. One of thes years I’ll tunnel an IPv6 prefix or two onto my network to actually get some real world experience with…
BearOfaTime@lemm.ee 4 weeks ago
It’s on by default with Win10 at least.
I disable it on all machines I build. And use GP to ensure it stays disabled.
cm0002@lemmy.world 4 weeks ago
Same, ain’t nobody got time to memorize IPv6 addresses! Lmao
Brkdncr@lemmy.world 4 weeks ago
IPv6 is enabled by default on windows. Additionally, MS does no testing against machines with ipv6 turned off. People that go through the effort of turning it off may run into problems.
cmnybo@discuss.tchncs.de 4 weeks ago
My entire network runs IPv6. I don’t have any windows machines though.
HarriPotero@lemmy.world 4 weeks ago
My ISP enabled native IPv6 for me a few months back. It’s pretty great. I don’t have any windows machines, but I doubt my wife has disabled it on hers.
Anyway, our router is set up to drop incoming IPv6 traffic by default, sanely enough.
ulkesh@lemmy.world 4 weeks ago
I updated Windows so hard Linux popped out.
dsilverz@thelemmy.club 4 weeks ago
And it’s Arch, by the way.
Blaster_M@lemmy.world 4 weeks ago
To note: It shows even Windows Server 2008 as affected. Since MS is only testing against OSses they support, it is possible this has existed as a problem all the way back since IPv6 was first introduced to Windows XP.
Also, for all of you “disable IPv6 because I don’t understand it” people… unless you are running Windows 8 or older, just update Windows. IPv4 has been out of addresses for so long that CGNAT is a thing, which means connectivity problems when you’re hosting stuff, and more latency and packet drops from ISP routers getting saturated with NAT tasks. IPv6 is alive on the internet since 2011 and very much used on the internet, does not tie up routers by requiring NAT translation, and therefore just performs better. Plus, if you use your network printer’s or network device’s link-local ipv6 to connect locally, you will never have to deal with static ip address or changing ipv4 lan address pain, as link-local (non-routable on the internet) addresses don’t change unless you force it.
Emerald@lemmy.world 4 weeks ago
I’m still on 22h2 lol
Blaster_M@lemmy.world 4 weeks ago
Every version of 10 going back to 15.07 original release is affected.
LaggyKar@programming.dev 4 weeks ago
This would presumably mainly be an issue for computers open to the internet. So not so much for home PCs, unless the router’s firewall is opened up.
r00ty@kbin.life 4 weeks ago
I've not read the CVE but assuming it works on any IPv6 address including the privacy extensions addresses, it's a problem. Depending on what most routers do in terms of IPv6 firewalling.
My opinion is, IPv6 firewalls should, by default, offer similar levels of security to NAT. That is, no unsolicited incoming connections but allow outgoing ones freely.
In my experience, it's a bit hit-and-miss whether they do or not.
Now, if this works on privacy extension addresses, it's a problem because the IPv6 address could be harvested from outgoing connections and then attacked. If not, then scanning the IPv6 space is extremely hard and by default addresses are assigned randomly inside the /64 most people have assigned by their ISP means that the address space just within your own LAN is huge to scan.
If it doesn't work on privacy extension IPs, I would say the risk is very low, since the main IPv6 address is generally not exposed and would be very hard to find by chance.
Here's the big caveat, though. If these packets can be crafted as part of a response to an active outgoing TCP circuit/session. Then all bets are off. Because a popular web server could be hacked, adjusted to insert these packets on existing circuits/sessions in the normal response from the web server. Meaning, this could be exploited simply by visiting a website.
Toribor@corndog.social 4 weeks ago
IPv6 firewalls should, by default, offer similar levels of security to NAT
I think you’re probably right. We had decades of security experts saying that NAT is not a firewall and everyone on the planet treated it like one anyway. Now we’re overexposed for a no-NAT IPV6 internet.
LarmyOfLone@lemm.ee 4 weeks ago
What about torrenting through a VPN with IPv6? Would that make you vulnerable to this exploit?
LaggyKar@programming.dev 4 weeks ago
Harvesting IP addresses shouldn’t be a problem, since the firewall shouldn’t allow packets from a peer you haven’t talked to first. But true, if you can be attacked in response by a server you’re connecting to that would be bad.
RvTV95XBeo@sh.itjust.works 4 weeks ago
For a professional sysadmin’s home network? Maybe. For the average Joe who probably has their 12-year-old toaster still connected to their wifi? I wouldn’t bank on it.
pineapplelover@lemm.ee 4 weeks ago
Lmao good thing we’re all on ipv4
Dumbkid@lemmy.dbzer0.com 4 weeks ago
Sick my isp doesn’t even support ipv6
Scrollone@feddit.it 4 weeks ago
Be the change you want to see in the world, send an email asking for IPv6.
Malfeasant@lemm.ee 4 weeks ago
I did that years ago, and they said basically “never”. Then a couple years later all of a sudden, there it was.
GluWu@lemm.ee 4 weeks ago
I just updated and now my audio sounds like shit.
ColeSloth@discuss.tchncs.de 4 weeks ago
That’s pretty odd. Did you try turning it off and on again?
RememberTheApollo_@lemmy.world 4 weeks ago
My LAN has ipv6 disabled. So there.
nobleshift@lemmy.world 4 weeks ago
Token Ring FTW /s
r00ty@kbin.life 4 weeks ago
Dude 10-Base2 won, get over it!
USSEthernet@startrek.website 4 weeks ago
Nah, bus with terminators is better.
NaoPb@eviltoast.org 4 weeks ago
I’m not running my computer with an IPv6 address. Only my modem has an IPv6 address. Does that mean I’m not affected?
I’ll make sure to updats either way though.
afivedaystorm@lemmy.world 4 weeks ago
[deleted]psvrh@lemmy.ca 4 weeks ago
“There but for the grace of god go thee.”
Or, to be less poetic, “don’t get cocky”.
Hacks can happen to anyone. Better lessons to learn is “don’t enable or install what you don’t need” and “keep machines you don’t trust off your local network”
corsicanguppy@lemmy.ca 4 weeks ago
What about reactOS?
Lemminary@lemmy.world 4 weeks ago
Hah! Joke’s on you. I accidentally restarted my PC and updated it without wanting to.
TornadoRex@sh.itjust.works 4 weeks ago
Yeah? Well I was playing a game and it rebooted in the middle of a boss fight!
ivanafterall@lemmy.world 4 weeks ago
I was mid-proposal. She said, “Yes, as long as this call doesn’t e…” Thanks a lot, Microsoft!
Appoxo@lemmy.dbzer0.com 4 weeks ago
Tell me you didnt take a look at your windows update settings without saying so.
Blackmist@feddit.uk 4 weeks ago
Mine restarted while I was watching a movie.
Thanks Windows.
gregor@gregtech.eu 4 weeks ago
Linux time?
NegativeLookBehind@lemmy.world 4 weeks ago
Linux always
TechAnon@lemm.ee 4 weeks ago
A working clock is always right!