I have to admit, the Crowdstrike video and the Microsoft DDOS video, and this one, are the three best videos I have used to report details to my job. Thank you so very much for doing these.
Even the guy who wrote the Windows for Dummies Books (Woody is his name) has very good info on being aware of patching stuff. I'm sure he knows about this too
One very important note. Disabling IPv6 is NOT the fix. The fix is to patch you system with the updates that have been released last week. The Windows networking stack still processes IPv6 packets. Remember that this exploit has not yet been fully disclosed so we don't have all details about it and cannot assume "fixes" by doing random actions instead of properly patching the systems!
Sorry if this is a daft question but how exactly does the Windows networking stack process IpV6 if the protocol is disabled from all network interfaces? Agreed on patching!
Not arguing you shouldn't update for other reasons anyway, but Microsoft's article specifically lists under mitigations: "Systems are not affected if IPv6 is disabled on the target machine". That sounds like disabling IPv6 is supposed to be sufficient in blocking the attack.
So, should there be some discussion and debate on the implications of how microsoft has implemented ipv6 in windows? If ipv6 is used for some internal processing and you can't shut it off then MS has cemented any possible future vulnerability for ipv6. This could have huge security implications for the future and it might be worth looking into whether there needs to be a demand for the ipv6 implementation to be changed so that users can shut off ipv6 if necessary.
Not sure why you would have to even check...Windows force feeds updates down your throat and essentially gives you no option otherwise (in the general case).
I wonder how long this has been potentially exploited in the wild? How many other core functions are wide open to exploitation that have gone undocumented are in the hands of a few adventurous code spelunker's?
According to official legal paperworks... the Federal Reserve had accounts worth 2.1 Septendecillion dollars. That's a great number too. No wonder inflation is so bad.
@@ZeldagigafanMatthew ONE PERSON = ONE HOUSE. IMPRISON ALL LANDLEECHES ON A PRISON COLONY AND LET THEM RENT FROM EACH OTHER, SEE HOW LONG ALL THEIR VALUABLE CONTRIBUTIONS TO SOCIETY ALLOW THEIR LITTLE ECONOMY TO LAST.
Thank you for that view into autism. I have an autistic grandson. He lives pretty far away from me, so I don't interact with him often. What you wrote reminded me of some experiences we had when his father was in elementary school. One teacher actually dragged him from the classroom because he "always looks out the windows" and because he "won't ever listen to me" but he still scored well on the material she was teaching. I spent some time in a live-in therapy situation. My therapist told me that I had a high attention to detail. I told him that was because I was a computer programmer. He laughed and told me it was the other way around. That's not much in the way of ASC, but with a grandson who is autistic, it makes me wonder. His father and I have had experiences that I had never associated with autism, but now I'm not sure.
Autism definitely runs in families. I have it, my mother does, grandfather does, my Uncle has it to a lesser degree, his son (my 1st cousin has it to a high degree). I have great uncles who had it also, seems to affect the males in our "family" the most. Pretty sure my niece has it also but to a lesser degree
I am a 53 yo Australian male, (probably on the Spectrum, but undiagnosed - which is probably what draws me to Dave's garage) and much of the previous comments ring true for me - reflection on school involves looking out the window (incredible boredom) and high academic achievement with little effort. Anyway, just wanted to say, thanks for all the comments, it really makes me feel there is sense in a world which is otherwise lacking any. Keep it up, all.
I'm the guy at my employer that would have to manage this. They laid me off right before this popped up. I'm looking forward to watching the fireworks.
When they call you to extinguish the dumpster fire, demand at least double your rate and no less than $100/hr. If they’re desperate enough, they’ll pay…
I'd never considered the protection granted by the use of NAT, or rather, the loss of protection when moving to IPv6. Interesting thought. As always, this is how we get new ideas, by THINKING together and talking reasonably. Thanks for the video!
To be fair, good home routers with IPv6 support will still enforce SPI on IPv6 access, preventing unwarranted/unexpected connections from the WAN in a similar way to NAT. In essence: - NAT requires tracking outgoing connections and maintaining a table of address:port bindings that correspond to internal hosts. New connections are added to this table, and incoming packets that don't match this table are discarded. - SPI also tracks outgoing connections and ports, and any incoming packet from the WAN that isn't expected by the table is discarded (even if it's destined for a valid internal host + port). In technical terms, NAT requires SPI (i.e. connection state tracking) to translate packets properly, but SPI can be used with or without NAT. A proper IPv6 network just trades port forwarding rules with incoming packet allow rules, but otherwise has the same base security as a traditional IPv4+NAT network.
Yep. With NAT, if you want a port exposed, you forward it. With IPv6, you just open it at the firewall. An advantage is, if you have more than one machine that wants to listen on the same port, you can open them all without having to pay extra for additional IPv4 addresses. Another advantage is, you can use a v6 address as an extra layer of security: If you open a port on IPv4, plenty of systems mass-scan the entire IPv4 space, and there are even search engines like Shodan to find vulnerable ports. If you ever forward port 22 from a Linux machine, expect constant brute force attacks at the very least. With IPv6, unless the attacker has another way to know that address, it'd be prohibitively expensive to even scan a single /64 subnet, and actually impossible to just scan the entire Internet looking for vulnerable ports! This isn't foolproof, there are ways you might leak those addresses, but it's better than IPv4!
@@DylanClements98 NAT basically is somewhat of a firewall. Using it without forwarding any ports, all incoming connections get shut down at the router. It's pretty standard nowadays for home routers to have a firewall that does this by default in IPv4 and IPv6 anyway, but it's somewhat disingenuous to say NAT doesn't protect you at all.
The thing that really p**ses me off is that Microsoft has patches for Windows 10 versions 1507, 1607, and 1809 (all LTSB/C), Windows Server 2008 R2 ESA (Windows 7), and Windows Server 2008 ESA (Windows Vista). This means that basically Microsoft can patch all versions of Windows 10, Windows 7, Windows Vista, Windows Server 2008, and Windows Server 2008 R2, but they chose to only patch ESA, and for Windows 10's many different versions, they only patched the latest + LTSB/C. For Windows 7 and Server 2008 R2, people can use an ESA bypass patch, that is if they can get it to work. For anyone not using the latest version of Windows 10 or an LTSB/C version, they have no option but to completely disable IPv6. Given the severity of the patch and that it affects every Windows version going back to at least Windows Vista, I find it inexcusable that Microsoft easily has the ability to make the patch work on all versions of these OS's, but withheld such patches, making sure to only support the latest Windows versions, ESA, and LTSB/C, the same as they would do for say an everyday mundane feature or usability patch. But this isn't that. This is something that can potentially allow any kind of malware to run on an affected system bypassing all security and spread through the Internet. In these days of ransomware and highly destructive malware, this is absolutely unacceptable behavior from Microsoft. Again, they have patches for all of these versions of Windows, and are choosing to withhold them, deliberately restricting who can patch their OS. For people who are running a version of Windows that doesn't have a patch, it's best to just completely disable IPv6. Don't just clear the checkbox in Network Adapter settings as that isn't enough. You ***need*** to add this registry setting as well: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters, add dword DisabledComponents and set to ff, then reboot. Open a command prompt and run ipconfig /all and ensure that there is ***no*** IPv6 section. If you need IPv6, you can use Tor, as that will give you an IPv6 address, and bypass the affected Windows components (ipconfig /all in a command prompt will show no IPv6 section). There's also 0patch, but it doesn't have a patch for this problem, although it might in the very near future. But I believe this will only work for ESA and not for all the various versions of Windows 10 for which Micosoft is withholding patches.
I'm so glad I finally bit the bullet and switched to Linux once all the win 11 shenanigans started coming out, and they announced that win 10 won't be supported after 2025. Between wine, proton, and VMs/dual booting, I haven't found a need for windows for gaming or work anymore. I was worried about it being a pain to switch, but it only took about a day to get things running smoothly.
I'm with MS on this. They weren't kidding when they said no more patches. People know what they're getting into by not buying into ESA. No patches means no patches. This is like when someone asks you if you want anything from the shop, you say no, and then get mad when they don't get your anything XD
I realize most of your audience already knows this but some of us (not saying who mind you) some of us could use 1 or 2 sentences out of your 11 minute video on HOW to disable IPV6!!! Woops! Love the shirt.
Thanks, Dave, for breaking down this critical Windows exploit in such an accessible way. It's a reminder of how important it is to stay informed and up-to-date with security patches!
I run linux but I also have IPv6 disabled on my network. So even if I was running a windows machine with this vulnerability, it wouldn't have affected me. At least while that machine is on my network and not using something like public wifi.
"And then some..." That is the understatement of the year. The IPv6 address space is so large that 10^20 IP addresses can be assigned to every grain of sand on earth, i.e. a hundred quintillion address for each grain of sand.
I was someone who used a computer once who managed to somehow get a job in IT security. I need to thank you and other experts for making these videos so I can report security vulnerabilities at my job. Edit. don't click like to this so the comment stays hidden. Don't want my boss to see where I get my info.
Can the IPv6 attack be done as a response to a tcp request.. say to port 443? That would get it through a firewall and infect systems that visit a particular website.
from the very scarce info about this bug, its before the data layer so yeah...also, it seems you need to flood the target with specific packets, so its not that easy to trigger
5:30 According to Sami Laiho, disabling IPv6 is not supported by Microsoft, which means Microsoft doesn't test machines anymore that have IPv6 disabled. In fact I know it actually even will give problems in some situations where you would think you don't need it, like Exchange Servers or sometimes even domain controllers. But thanks for the cool video :)...
So... in a short summary, we shouldn't really worry about the disadvantages of disabling ipv6 unless you're a sysadmin. I got mine always disabled since 7, I'm an average user and I haven't been experiencing any side effects since then. My ISP doesn't provide me with IPv6 either... so I guess I'm fine for now.
@@user-kr6ih2gz5l yes, you should worry. Just because you didnt have any problems yet, doesnt mean others with other components or programs dont also have, nor does it mean you wont get problems in the future with updates. And especially if you are NOT a sysadmin that has tools and knowledge to check why sonething doesnt work to then find the disabled ipv6 is the reason. Problem many then just blame it on microsoft, even though you did something unsupported.
@@Lofote well... what should I do then? For technical reasons I can't get my PC to update... so I'm keeping the IPv6 disabled in the regedit for the time being. I'm aware there are some IPv6 only websites/apps but luckily I don't use most of them.
Keep in mind that IPv6 shouldn't be disabled entirely in W10+, since some components on Windows supposedly use it internally. Microsoft's own guidance says to not disable it for this reason...
I commented in another thread that it would not surprise me to discover that disabling IPv6 causes an unpublished and undocumented feature of Active Directory to go haywire and cause a network meltdown. … But Active Directory is mostly a concern for corporate networks. Microsoft tries hard to idiot proof Active Directory, but when things go sour, they go very sour.
Also, worth adding, if your ipv6 address is public routable, it could be that even if you used the windows firewall to block it, the exploit still can occur as it is executed before the firewall
Windows and exploits go hand in hand, it's literally the most exploited OS out there and not just because its the most popular OS used by average users.
@@kingcobra3329 Every process that is started works then too administrator rights can mess up system. That can be poor quality software that wants to install garbage or malicious software. Normal user accounts shields the system effectively and it is one of the basic security measures.
Thanks Dave for putting this info all in easy to understand teams that are not a developer level so everyone can understand how this issue could affect us.
Thanks for explaining this, its amazing how many of these exploits go under the radar for many people, I never thought I would have to disable IPv6, but thanks to this advice, I have done, and you're right for the average joe, I will disable this on my other machines too.
Can we not go and un-install IPV6.??? We could do it with IE. in the same area.*UPDATE* I can't find a listing for it in "Windows Features" UPDATE 2. It is in "Device Manager" under "Network Adapters": FINAL UPDATE Aug 30- 2024 You Tuber "NetworkChuck" informed me I was wrong. The location is [network and sharing center] > {Ethernet] look at the properties and you can find a check-mark box there to un-check.
Re: IPv4 and 6, my ISP switched to ipv6 entirely, and when I got a new router, my linux machine, iPhone, and most of my other devices just started using ipv6 exclusively. I didn't even notice until a while later. Pretty cool, given how much of a pain ipv6 used to be. Now it seems to just work. I haven't had a single issue with it
I would have IPV6 disable in my builds... except Microsoft says: "Internet Protocol version 6 (IPv6) is a mandatory part of Windows Vista and Windows Server 2008 and newer versions. We do not recommend that you disable IPv6 or its components. If you do, some Windows components may not function."
I've always disabled IPv6 on my systems no matter the OS, as one of the first things during the process of disabling DHCP and setting static IP's on my LAN for ease of LAN gaming and things such as Jellyfin of my personal archive of movies and shows I own on DVD & BD. One other thing I've done for my network since the rise in Wi-Fi enabled devices is whitelisting the Wi-Fi access to the MAC addresses of my devices and pairing those MAC's with IP addresses at the router (particularly for phones, tablets and game consoles).
For wifi I have... well... several SSIDs, but basically 2 types; 1) Internal access networks have to be approved before being allowed, which means that MAC spoofing needs to be off on mobile devices. And I'm not approving a device until I have poked at it and made sure it has some level of auto-updates and/or antivirus on it. 2) Guest/IoT networks have host isolation, and only route out to the internet. So they get internet access to do what they want, but if they get infected they can't infect everything inside the network. Can't even infect other devices on the same vlan/SSID. Also no access to the media library or other internal resources.
You might, but it's likely that at least 99.99% of users wouldn't even know about IPv6, let alone know how to disable it or why to do it. I've been working in the IT sector for 26 years and wouldn't have a clue about networks past pluging in the cable and hoping it would work. It's just not my area of expertise.
DHCP can be a nice centralized way to hand out those static IPs, without having to reconfigure each device directly. And IPv6 has some security improvements, too.
My local networks are for a) dumb devices that need internet access, heavily filtered, and B) only able to see the router, client isolation. To be able to talk with other clients you must run a specific IPsec route and if you want internet - another IPsec
The problem is, at least for Germany, the number of ipv6 only services is rising. Other countries which never got a big ipv4 pool, like China as most famous example, are decades ahead in ipv6-only services. So turning it off is not that good. As far as Windows LANs, with Domain Controllers, are concerned: When ipv6 was active during dcpromo, don't turn it off or you may have extra 20+ minutes to wait until you can logon. Most prominently happened with Small Business Server 2008 and SBS 2011.
I operate IPv4 and IPv6 so that I understand the differences. They are VERY different in terms of how they handle ARP, router identification, DHCP vs SLAAC, multicast, etc. We're just about to pass the 50% adoption rate in the next year or two -- Windows prefers IPv6. It's not scary, it's just different. Please don't discourage its use as even the IPv6 multicast expansion would allow much more efficient distribution of video instead of unicasting IPv4.
Microsoft has not patched any OS below Windows 10, with the excel of ESA Servers. If they patch all old OS that use IPv6, I would definitely recommend patching, rather than disabling. However, until that happens, bye bye IPv6! 👋😂
Yeah the recommendation to disable V6 is bizarre and out of touch with reality. We aren't living in 4 years ago anymore. V6 is gaining adoption exponentially at this point. Well logistically not exponentially, obviously it can't keep going exponential past 50%.
Yep, everyone in IT needs to learn, use and deploy IPv6 at this point. All the pushback from people not willing to learn is annoying. I have spent the last 8 years deploying IPv6 to locations at work as we upgrade routers, no one notices but it sure reduce the size of my IPv4 NAT tables on my firewalls. Over 50% of the internet traffic leaving my network is over IPv6.
What kind of router lets IPv6 through unfiltered from outside?! Unless I specifically expose my PC to the outside by creating forwarding routes, nothing from the internet should be able to get in. Just because there's no NAT anymore doesn't mean there is no firewall..
As has been read elsewhere, due to the nature of this thing, at least Windows Firewall is useless as it exploits the kernel on arrival. There are routers that do not filter - your Windows computer can be accessible from outside. Then there are all sorts of mobile devices that connect to the work, home or Starbucks network multiple times a day.
I disabled ipv6 on my windows 10 system and it stopped doing the auto login and also didn't run my list of startup programs, so i then re-enabled it. To be clear, I disabled it on only the one physical ethernet, a 2.5 gb, but not the npcap loopback adapter, or the disconnected 1.0gb ethernet or the 2 vmware network adapter's. It would seem that ipv6 is needed for something here.
IPv4 being easy for humans to read, see patterns in, and reason about also helps a lot when it comes to setting up subnets, VLANs, routes, firewall rules, etc. I always feel there's more danger of making a stupid mistake with IPv6.
Because the news is only interested in sensationalism and headlines to create drama. Most news outlets don’t really cover important technical news, and even when they do they basically report dramatic headlines without context (see: recent CrowdStrike failure).
Journalists don't understand technology nor have any desire to do so. They can waltz around political double-speak all day long, but when it comes to technical matters, they are clueless and call their IT department. Even if they do end up running a story, they are playing the game "telephone" where they are regurgitating what was explained to them but contribute misinformation in the process which causes embarrassment later when they are corrected. In short, they know that they're bad at handling stuff like this, so they don't bother trying.
You can still have someone connect to your network and exploit the vulnerability. This can happen by just bringing an hacked/infected device to your home or a silent wifi attack. You can even trigger windows to disconnect from your home network and connect to a roge AP to exploit the vulnerability. So yeah... You have to worry. Patch your systems
@@TigTex Not really a convenient vector when you're wired though. If a guy came into my home them being able to infect my computer by plugging on the router is on the bottom of my concern list. I'm still going to run the update obviously, but let's be real for a lot of average consumers this isn't that critical, unlike servers who are a lot more at risk.
Not even close; IPv6 space is 2^128 (=~3e38), the number of atoms in earth is ~10e50. It is a huge number, but it's still 12 zeroes behind the number of atoms in earth.
@@bigboi1004 That's still way too much. That's enough to assign every star in the observable universe it's own IP address a quadrillion times over. I'm guessing the designed it for the interstellar internet. lol
To be clear, your roof is on fire, and you cannot access your fire extinguisher becauser your cellar is flooded, and your wife divorced but you have to take care of your 99 prescholl kids while working from home. And also pay her for the yoga trainer who is why she left you. That kind of danger level. Ask me how I know!
IPv6 for home users is pretty common in this part of the world (on the ISP side it reduces the scale of CGNAT required because the IPv6 traffic doesn't need NAT'ing). Personally, around 75% of my home traffic is IPv6, and some ISP's see significant percentages of IPv6 traffic to/from their general population of IPv6 enabled end-users. Many ISP's enable IPv6 by default, and provide CPE routers with it enabled by default.
Fine commentary except for the recommendation to 'turn IPv6 off if you're not using it.' IPv6 isn't some bloatware service you switch on or off as needed. It's a core part of the current and future Internet. The transition to IPv6 has been ongoing for some time now but more networks support it every day. There is nothing wrong with the protocol. Any compliant TCP/IP stack should support IPv6 by now. And I would expect all major OSes to support it flawlessly. If that assumption can't be relied on then you probably can't rely on anything else, either.
This should be a top comment. We've run out of available IPv4 address blocks 5+ years ago, so it's only a question of time when more and more services will be IPv6 only.
IPV6 is a failed technology. Adoption has stagnated for most of 20 years, not in small part due to issues like this. Eventually somebody needs to acknowledge the failure and come up with a viable alternative that people will actually use.
@@Pyrazahn Well, yes.... except that in 1996, during a Windows NT networking course, I was given the same scare story about ipv4, and how ipv6 was going to be the panacea. My math tells me that was 28 years ago. Meanwhile, around the early 2000s, I was working with a large multinational bank (JPMorgan in this case). Coincidentally they had a project to switch from NAT to assigning public ipv4 addresses to every machine on their network. I questioned why at the time in a sort of "why would you want to do that" way. Apparently it was because they happened to have a class B allocation so wanted to use it all up. No other reason. NAT has always been just one of many layers of security on a network, but a dogmatist just wanted to delete it because reasons. Looking back, this can only ever have been a tail-wagging-the-dog IT project.
Nobody even hinted whether it's supported or not. The point was do you need it? And the answer to that also appears to be no, possibly unless you're running a corporate PC. Because all these OSs still support IPv4.
Dave, i recently came across your channel and listening to you highlight some of the issues with windows and the update issues i've experienced with win10 to the point of one the updates crashing my pc to a point i could'nt recover it without doing a compete reinstall has now caused me to do the jump to linux that i've been wanting to do for many years but wasn't brave enough to jump. The difference is night and day, i installed Linux Mint on my Panasonic Toughbook laptop as a guinea pig and ohh what a difference, i can safely say it wont be long before my main Pc is de-windowed but i will continue to follow your channel as you come up with some very useful gems.
Thanks Dave for the information. I have applied the latest patches to my only Windows device. It’s at these times, I’m happy to be a “retired “ Windows Server Engineer and not having to work about these patches…
Take the CVE code he gave at the beginning of the video and search it in Google you can learn what to do there. If you just want to educate yourself. But, I believe Microsoft has pushed out an update for this…definitely important to keep your systems updated.
I wonder just how simple or complex the attack is. I've watched video on exploiting speculative execution and winning race conditions between loops and that all seemed extremely hard to predict as a programmer as a potential threat. I've also seen the history of breaking console security and I think the most impossible to have predicted as an attack vector was people drilling into an intergraded circuit chip to cut a grounding wire. I hope in time we get the full explanation of what exploit did. That is assuming this whole IPv6 buffer underrun wasn't just an obfuscation and that has nothing to do with the exploit and was published to mislead hostile researchers.
It is the sound effect attached to his subscribe graphic overlay, however oddly because he adjusted his framing, it seems as if the subscribe graphic was out of frame - a bit strange given that usually zooms don’t affect graphics unless everything is compounded together.
I believe the biggest problem with computers is the tech is moving so fast, IT security is atleast one or more laps behind. AI is just making things infinitely harder for us specialists to keep up with
I am a retired Microsoft Software Engineer and clicked the Do not recommend channel link right after watching the video. Why? Because this is 90% clickbait. This attack is not possible if your Windows machine is not on the internet directly, and for most (all?) of you, your machine is not on the internet but behind a router which creates a local network. Since that router is not Windows, it does not matter if it has IPv6 or not. And for those of you saying that you need IPv6 in your machines, you do not. Why? Because you are in a local network, not directly on the internet.
Could Windows IPv6 vulnerabilities be exploited on my home network, even I have blocked IPv6 at the home router? Yes, even if you've blocked IPv6 at your home router, Windows IPv6 vulnerabilities could still potentially be exploited on your home network. Here's why: Dual-Stack Devices: Many devices, including Windows computers, are dual-stack capable, meaning they can support both IPv4 and IPv6. This means that even if IPv6 is blocked at the router level, these devices can still attempt to communicate using IPv6. Hidden IPv6 Interfaces: Some devices might have hidden IPv6 interfaces that aren't visible at the router level. These interfaces could be exploited if they are vulnerable. Network Address Translation (NAT) Issues: NAT can sometimes introduce unexpected behaviors, potentially allowing for IPv6 traffic to bypass the router's blocking rules. Third-Party Software or Drivers: Certain third-party software or drivers on your network devices might have vulnerabilities that could expose your network to IPv6 attacks, even if the router is blocking IPv6.
Yet another excellent, timely video Dave, many thanks for that. You do raise a huge issue with the Chinese Government, they will exploit vulnerabilities. Keep up the great work Dave, fab videos. It just reminds me how far we are from CP/M..... :)
"Turn off IPv6 if you don't need it . . . " Thanks for the advice and especially the discussion about if I need it. You could do a service to folks like me with a link to a "how to" video, and some way to tell if it's gone wrong.
Thanks for the great info Dave. I am behind a home NAT firewall, so I turned-off IP-V6 in Windows 10 Pro. Will see if anything breaks, but I don't think my ISP WOW even supports IV-P6. Really enjoy your videos. Keep them coming!
Most people that have IPv6 enabled are in fact using it. Most large internet services (Google, Facebook, Microsoft, and many more) are reachable over IPv6 and it's been the preferred protocol in all browsers. Most if not all home routers that support IPv6 have a built-in IPv6 capable firewall that will block all unwanted connections from the outside. So while it might not be strictly necessary, disabling IPv6 does not enhance security and will harm global adoption of IPv6 in the long term.
As soon as I saw your thumbnail I turned off my Windows PC and watched this on my Linux computer. I'm going to turn my Windows PC back on now and disable IPV6. Thanks for the video. Subscribed 🙂
Fyi: "Google's IPv6 usage reached a new record of 45.28% on September 2, 2023. We are on track to hit 50% IPv6 adoption somewhere in 2024" Personally I think a lot of that is coming from phones and I don't know how to break that out to windows PCs.
*"Get the latest updates as soon as they're available... be among the first to get the latest non-security updates, fixes..."* Dave, I took your advice and turned this on, albeit a little perplexed that it said "non-security updates" and then the update was... "Security Intelligence Update for Microsoft Defender Antivirus..." Well, of course!
The problem is Windows updates are disruptive and have broken Windows in the past, so it's hard to trust them. Also strongly disagree with disabling ipv6 - any changes from the defaults at this level are going to possibly create problems that either aren't obvious or don't have obvious fixes/relationship to the action of turning off ipv6.
Completely agree with Windows Updates. However, you usually can download the specific update related to the vulnerability as an exe (or similar) online. I have not checked for this particular vulnerability yet. Disabling IPv6 can always be undone if you notice unintended effects.
Unfortunately, one of the patches deployed in the past couple of days brought my system to a crawl. And when I say crawl is that a build script that normally executed in 18-20 seconds suddenly took 2:45-3.00 minutes! Had to uninstall them and hope that people with time on their hands have the same issue and get it fixed.
If you Dual Boot with Linux, DON'T update yet!! The SBAT is preventing Linux from booting. Microsoft claims that it should not have any impact, but there are increasing reports of people getting the error: "Verifying shim SBAT data failed: Security Policy Violation. Something has gone seriously wrong: SBAT self-check failed: Security Policy Violation" This is EXACTLY why I disable automatic updates in Windows and read up on what is being patched first. If you are a Dual-booter who already installed the update, there is a work around by disabling your secure boot in the BIOS, login to your Ubuntu and delete the SBAT Policy in terminal by entering: sudo mokutil --set-sbat-policy delete
The good-ish news, it's almost impossible to actually turn off Windows Update on Windows 10. I've tried. It always gets turned back on.... I finally gave up, but I know there's downloadable stuff out there to actually do it....but I decided to live with it.
there is an easy way to do it with group policy or using a simple registry file with the correct values each of these registry settings are available as a group policy - changing one also changes the other - where you see - 2024-07-30 - - if you put today's date in there - and load this to your registry - your windows updates will be paused for 6 months - Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate] "ExcludeWUDriversInQualityUpdate"=dword:00000001 "DeferFeatureUpdates"=dword:00000001 "DeferFeatureUpdatesPeriodInDays"=dword:000000b4 "PauseFeatureUpdatesStartTime"="2024-07-30" "DeferQualityUpdates"=dword:00000001 "DeferQualityUpdatesPeriodInDays"=dword:0000001e "PauseQualityUpdatesStartTime"="2024-07-30" - or to resume updates - Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate] "ExcludeWUDriversInQualityUpdate"=dword:00000000 "DeferFeatureUpdates"=dword:00000000 "DeferFeatureUpdatesPeriodInDays"=dword:000000b4 "PauseFeatureUpdatesStartTime"="" "DeferQualityUpdates"=dword:00000000 "DeferQualityUpdatesPeriodInDays"=dword:0000001e "PauseQualityUpdatesStartTime"=""
Dear Dave, disabling IPv6 is a horrible horrible idea, almost 50% of US IS using IPv6, even if it in many cases isn't required, but will you take responsibility when it is? Most exploits these days are done over IPv4, so you are better of by disabling that first.
Where did you get your statistics? Disabling services, protocols, etc. that aren’t in use should be common sense. I’ve never used IPv6 on my home network because literally nothing requires it. And so, yes, it’s disabled and no, that’s not horrible.
In the Linux kernel alone, 1,600 vulnerabilities have been reported since the beginning of the year. 7 per day. Only in the kernel. And what does that prove?
Disable IPv6 as a solution is the equivalent of telling people to disable IPv4 because most of their sites can be accessed over IPv6 anyway. IPv4 is technical debt. More and more countries are experiencing shortages that pretty much makes IPv4 unusable. AWS is now billing every IPv4 per unit and techs are being developed so you only need one stack on the net (v6. And a sort of nat to v4 to get to legacy websites. Already happens on some mobile nets.)
I've been disabling the IP Helper service that processes IPv6 on clients' PCs for years. Talk about foresight! I was doing it to reduce bloat on underpowered hardware, but I'll take that win...
@@V1CT1MIZED like most things in Windows, it isnt simple to do, just turning it off in the network configuration doesn’t completely disable it, it isnt an easy thing to do fully
![[DOKKAN BATTLE] Worldwide Campaign Announcement Video Part 2!](http://i.ytimg.com/vi/JpT5Voak6WA/mqdefault.jpg)
I ran Dave's shirt through a compiler and it fixed my ipv6 vulnerability and made me a coffee.
Ah, I'm missing the days when every desktop computer had a button-operated retractable coffee cupholder! Now they're a rarity!
HAHA 1001001010100100010101010
Where is the SOF and EOF ?
Haha. Here it erased the temp files, did a BIOS update and the computers internal speaker is playing Ave Maria all the time.
I want that shirt!
I have to admit, the Crowdstrike video and the Microsoft DDOS video, and this one, are the three best videos I have used to report details to my job. Thank you so very much for doing these.
....they fucked up a regex at crowd strike... lol
Yet another proof that regexes are the devil.
When Dave says you should look out for an exploit, I'm gonna listen.
Even the guy who wrote the Windows for Dummies Books (Woody is his name) has very good info on being aware of patching stuff. I'm sure he knows about this too
He is the Galactic Mega Ex Ploiter Scammer!
When Dave says "Jump!", you ask "How high?!" haha
One very important note. Disabling IPv6 is NOT the fix. The fix is to patch you system with the updates that have been released last week.
The Windows networking stack still processes IPv6 packets. Remember that this exploit has not yet been fully disclosed so we don't have all details about it and cannot assume "fixes" by doing random actions instead of properly patching the systems!
Good point, which reinforced the advice of the video - update now.
Sorry if this is a daft question but how exactly does the Windows networking stack process IpV6 if the protocol is disabled from all network interfaces? Agreed on patching!
Not arguing you shouldn't update for other reasons anyway, but Microsoft's article specifically lists under mitigations: "Systems are not affected if IPv6 is disabled on the target machine". That sounds like disabling IPv6 is supposed to be sufficient in blocking the attack.
So, should there be some discussion and debate on the implications of how microsoft has implemented ipv6 in windows?
If ipv6 is used for some internal processing and you can't shut it off then MS has cemented any possible future vulnerability for ipv6. This could have huge security implications for the future and it might be worth looking into whether there needs to be a demand for the ipv6 implementation to be changed so that users can shut off ipv6 if necessary.
Disabling ipv6 disables all handling of ipv6. It does not exist then. It’s as simple as that.
Just checked my Windows Update status, thanks for the explanation and reminder. Also, that shirt is amazing.
@@eldibs ::goes to check shirt:: yup. Ya not wrong.
Not sure why you would have to even check...Windows force feeds updates down your throat and essentially gives you no option otherwise (in the general case).
I wonder how long this has been potentially exploited in the wild? How many other core functions are wide open to exploitation that have gone undocumented are in the hands of a few adventurous code spelunker's?
What is the big deal about a dark blue shirt with sail boats on it?
@@samlevi4744-legit stole my thought- time traveling ass
Very interesting information. Also Dave, I have to say that you are very well spoken and a pleasure to watch and listen to. Great video as always!
IPv6 = 340 Undecillion available. Great number.
There are still very much ways to scan the IPv6 range.
According to official legal paperworks... the Federal Reserve had accounts worth 2.1 Septendecillion dollars. That's a great number too. No wonder inflation is so bad.
@@govcorpwatch Oh yea, clearly it's the fed printing to much, and not the landlord rising rent by 5% month over month.
@@ZeldagigafanMatthew - People just became greedy in the past few years?
@@ZeldagigafanMatthew ONE PERSON = ONE HOUSE. IMPRISON ALL LANDLEECHES ON A PRISON COLONY AND LET THEM RENT FROM EACH OTHER, SEE HOW LONG ALL THEIR VALUABLE CONTRIBUTIONS TO SOCIETY ALLOW THEIR LITTLE ECONOMY TO LAST.
Thank you for that view into autism. I have an autistic grandson. He lives pretty far away from me, so I don't interact with him often. What you wrote reminded me of some experiences we had when his father was in elementary school. One teacher actually dragged him from the classroom because he "always looks out the windows" and because he "won't ever listen to me" but he still scored well on the material she was teaching. I spent some time in a live-in therapy situation. My therapist told me that I had a high attention to detail. I told him that was because I was a computer programmer. He laughed and told me it was the other way around. That's not much in the way of ASC, but with a grandson who is autistic, it makes me wonder. His father and I have had experiences that I had never associated with autism, but now I'm not sure.
Autism definitely runs in families. I have it, my mother does, grandfather does, my Uncle has it to a lesser degree, his son (my 1st cousin has it to a high degree). I have great uncles who had it also, seems to affect the males in our "family" the most. Pretty sure my niece has it also but to a lesser degree
I am a 53 yo Australian male, (probably on the Spectrum, but undiagnosed - which is probably what draws me to Dave's garage) and much of the previous comments ring true for me - reflection on school involves looking out the window (incredible boredom) and high academic achievement with little effort. Anyway, just wanted to say, thanks for all the comments, it really makes me feel there is sense in a world which is otherwise lacking any.
Keep it up, all.
I'm the guy at my employer that would have to manage this. They laid me off right before this popped up.
I'm looking forward to watching the fireworks.
That sucks but karma's a b!tch. Here's hoping you get that golden phone call to return to work (with an appreciative raise)
@@bokami3445 nah. you should never come back. never.
When they call you to extinguish the dumpster fire, demand at least double your rate and no less than $100/hr. If they’re desperate enough, they’ll pay…
@@AFlyingMayMay Trust me I'm demanding double the salary. And it was already in the 6 figure range.
@@mawnkey no wonder they laid you off if you're getting > $1m PA. You can get so much for 1/10-1/5th of that.
Dave is definitely the best teacher: he has charisma and teaches with clarity and cogency.
I'd never considered the protection granted by the use of NAT, or rather, the loss of protection when moving to IPv6. Interesting thought.
As always, this is how we get new ideas, by THINKING together and talking reasonably. Thanks for the video!
To be fair, good home routers with IPv6 support will still enforce SPI on IPv6 access, preventing unwarranted/unexpected connections from the WAN in a similar way to NAT. In essence:
- NAT requires tracking outgoing connections and maintaining a table of address:port bindings that correspond to internal hosts. New connections are added to this table, and incoming packets that don't match this table are discarded.
- SPI also tracks outgoing connections and ports, and any incoming packet from the WAN that isn't expected by the table is discarded (even if it's destined for a valid internal host + port).
In technical terms, NAT requires SPI (i.e. connection state tracking) to translate packets properly, but SPI can be used with or without NAT. A proper IPv6 network just trades port forwarding rules with incoming packet allow rules, but otherwise has the same base security as a traditional IPv4+NAT network.
Yep. With NAT, if you want a port exposed, you forward it. With IPv6, you just open it at the firewall.
An advantage is, if you have more than one machine that wants to listen on the same port, you can open them all without having to pay extra for additional IPv4 addresses.
Another advantage is, you can use a v6 address as an extra layer of security: If you open a port on IPv4, plenty of systems mass-scan the entire IPv4 space, and there are even search engines like Shodan to find vulnerable ports. If you ever forward port 22 from a Linux machine, expect constant brute force attacks at the very least.
With IPv6, unless the attacker has another way to know that address, it'd be prohibitively expensive to even scan a single /64 subnet, and actually impossible to just scan the entire Internet looking for vulnerable ports! This isn't foolproof, there are ways you might leak those addresses, but it's better than IPv4!
@@DylanClements98 NAT basically is somewhat of a firewall. Using it without forwarding any ports, all incoming connections get shut down at the router. It's pretty standard nowadays for home routers to have a firewall that does this by default in IPv4 and IPv6 anyway, but it's somewhat disingenuous to say NAT doesn't protect you at all.
I love a good hardened firewall. Loved the Pix back in the day.
Router firmware monkeys can get away with broken or missing SPI, but mess up NAT and everyone will know
The thing that really p**ses me off is that Microsoft has patches for Windows 10 versions 1507, 1607, and 1809 (all LTSB/C), Windows Server 2008 R2 ESA (Windows 7), and Windows Server 2008 ESA (Windows Vista). This means that basically Microsoft can patch all versions of Windows 10, Windows 7, Windows Vista, Windows Server 2008, and Windows Server 2008 R2, but they chose to only patch ESA, and for Windows 10's many different versions, they only patched the latest + LTSB/C. For Windows 7 and Server 2008 R2, people can use an ESA bypass patch, that is if they can get it to work. For anyone not using the latest version of Windows 10 or an LTSB/C version, they have no option but to completely disable IPv6.
Given the severity of the patch and that it affects every Windows version going back to at least Windows Vista, I find it inexcusable that Microsoft easily has the ability to make the patch work on all versions of these OS's, but withheld such patches, making sure to only support the latest Windows versions, ESA, and LTSB/C, the same as they would do for say an everyday mundane feature or usability patch. But this isn't that. This is something that can potentially allow any kind of malware to run on an affected system bypassing all security and spread through the Internet. In these days of ransomware and highly destructive malware, this is absolutely unacceptable behavior from Microsoft. Again, they have patches for all of these versions of Windows, and are choosing to withhold them, deliberately restricting who can patch their OS.
For people who are running a version of Windows that doesn't have a patch, it's best to just completely disable IPv6. Don't just clear the checkbox in Network Adapter settings as that isn't enough. You ***need*** to add this registry setting as well: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters, add dword DisabledComponents and set to ff, then reboot. Open a command prompt and run ipconfig /all and ensure that there is ***no*** IPv6 section.
If you need IPv6, you can use Tor, as that will give you an IPv6 address, and bypass the affected Windows components (ipconfig /all in a command prompt will show no IPv6 section).
There's also 0patch, but it doesn't have a patch for this problem, although it might in the very near future. But I believe this will only work for ESA and not for all the various versions of Windows 10 for which Micosoft is withholding patches.
If they patched ESA, they can patch the main OS. You’re right 😡
they like to charge extra for longer term support. apparently it's quite lucrative to ding hospitals & military on old versions
@@TehPwnererYep
I'm so glad I finally bit the bullet and switched to Linux once all the win 11 shenanigans started coming out, and they announced that win 10 won't be supported after 2025. Between wine, proton, and VMs/dual booting, I haven't found a need for windows for gaming or work anymore.
I was worried about it being a pain to switch, but it only took about a day to get things running smoothly.
I'm with MS on this. They weren't kidding when they said no more patches. People know what they're getting into by not buying into ESA. No patches means no patches. This is like when someone asks you if you want anything from the shop, you say no, and then get mad when they don't get your anything XD
I realize most of your audience already knows this but some of us (not saying who mind you) some of us could use 1 or 2 sentences out of your 11 minute video on HOW to disable IPV6!!! Woops! Love the shirt.
just bought one haha
Thanks, Dave, for breaking down this critical Windows exploit in such an accessible way. It's a reminder of how important it is to stay informed and up-to-date with security patches!
While you can't condone it that the Chinese government would sit on a zero day is no different to the US government as Snowden showed us.
Happy memories of reselling the TUN TCP stack as a Windows add-on 30 years ago.....
I've never been happier to be on Linux. To all the Windows users out there, be careful and update! Don't let it pass you by!
I run linux but I also have IPv6 disabled on my network. So even if I was running a windows machine with this vulnerability, it wouldn't have affected me. At least while that machine is on my network and not using something like public wifi.
"And then some..."
That is the understatement of the year.
The IPv6 address space is so large that 10^20 IP addresses can be assigned to every grain of sand on earth, i.e. a hundred quintillion address for each grain of sand.
Didn't notice your shirt was 0's and 1's until after 9 minutes of watching lol, subtle!
Not using IPv6 - check
Not using Windows - check
I was someone who used a computer once who managed to somehow get a job in IT security. I need to thank you and other experts for making these videos so I can report security vulnerabilities at my job.
Edit. don't click like to this so the comment stays hidden. Don't want my boss to see where I get my info.
Can the IPv6 attack be done as a response to a tcp request.. say to port 443? That would get it through a firewall and infect systems that visit a particular website.
If my understanding is correct, *any* (application) protocol running over IPV6 makes you vulnerable to this attack. (assuming you've not patched)
If a TCP/IP v6 connection is made to that port, that could be used to identify a target address, which could then be attacked.
from the very scarce info about this bug, its before the data layer so yeah...also, it seems you need to flood the target with specific packets, so its not that easy to trigger
5:30 According to Sami Laiho, disabling IPv6 is not supported by Microsoft, which means Microsoft doesn't test machines anymore that have IPv6 disabled. In fact I know it actually even will give problems in some situations where you would think you don't need it, like Exchange Servers or sometimes even domain controllers.
But thanks for the cool video :)...
So... in a short summary, we shouldn't really worry about the disadvantages of disabling ipv6 unless you're a sysadmin. I got mine always disabled since 7, I'm an average user and I haven't been experiencing any side effects since then. My ISP doesn't provide me with IPv6 either... so I guess I'm fine for now.
@@user-kr6ih2gz5l yes, you should worry. Just because you didnt have any problems yet, doesnt mean others with other components or programs dont also have, nor does it mean you wont get problems in the future with updates.
And especially if you are NOT a sysadmin that has tools and knowledge to check why sonething doesnt work to then find the disabled ipv6 is the reason.
Problem many then just blame it on microsoft, even though you did something unsupported.
@@Lofote well... what should I do then? For technical reasons I can't get my PC to update... so I'm keeping the IPv6 disabled in the regedit for the time being.
I'm aware there are some IPv6 only websites/apps but luckily I don't use most of them.
Keep in mind that IPv6 shouldn't be disabled entirely in W10+, since some components on Windows supposedly use it internally. Microsoft's own guidance says to not disable it for this reason...
I commented in another thread that it would not surprise me to discover that disabling IPv6 causes an unpublished and undocumented feature of Active Directory to go haywire and cause a network meltdown. … But Active Directory is mostly a concern for corporate networks. Microsoft tries hard to idiot proof Active Directory, but when things go sour, they go very sour.
You going to question a Retired Dev of Windows who has been there since DOS and 1.0?
@@shadowopsairman1583Yes, because who knows what kind of garbage they've piled on top of it since he left.
@@wtmayhew I outright disable IPv6 on my home lab and it has yet to cause any issues. 3 2022 DCs seem happy working with IPv4 (outwardly) just fine.
First thing I do after installing Windows or getting a new computer is disable IPv6. I run both Windows 10 and 11 without issues.
Also, worth adding, if your ipv6 address is public routable, it could be that even if you used the windows firewall to block it, the exploit still can occur as it is executed before the firewall
Your edge firewall will block incoming IPv6 packets by default. This is more of an issue for windows servers that are hosting public services.
@k6usy yes of course, that's why I mentioned if it's public routable and windows firewall
@@colinofay7237 thank you this is very good to know
I really enjoy these videos. The explanation and extrapolation is perfect. As well as your delivery and editing. Thank you for this.
Windows and exploits go hand in hand, it's literally the most exploited OS out there and not just because its the most popular OS used by average users.
Also there is weird tradition to run things in administrator.
And why’s it not because it’s the most used by users?
@@kingcobra3329
Every process that is started works then too administrator rights can mess up system. That can be poor quality software that wants to install garbage or malicious software. Normal user accounts shields the system effectively and it is one of the basic security measures.
@@kingcobra3329 it can be a bit bloated, iirc, more code = more risk of exploits
Thanks Dave for putting this info all in easy to understand teams that are not a developer level so everyone can understand how this issue could affect us.
It just occurred to me that we need more acton movie scenes where the "bad guys" need to social engineer a target to achieve the "I'M IN'! moment
Hackers 1995 one of the opening scenes. Almost all of hackers 2.
Mission: Impossible. The original TV series, I mean.
Thanks for explaining this, its amazing how many of these exploits go under the radar for many people, I never thought I would have to disable IPv6, but thanks to this advice, I have done, and you're right for the average joe, I will disable this on my other machines too.
Which patch/update should we be looking for exactly? Windows says I'm up-to date but I have not restarted recently.
CVE-2024-38063
Can we not go and un-install IPV6.??? We could do it with IE. in the same area.*UPDATE* I can't find a listing for it in "Windows Features" UPDATE 2. It is in "Device Manager" under "Network Adapters": FINAL UPDATE Aug 30- 2024 You Tuber "NetworkChuck" informed me I was wrong. The location is [network and sharing center] > {Ethernet] look at the properties and you can find a check-mark box there to un-check.
@@engineer6250 that's the vulnerability identification number not the security patch identification number
I do believe it's KB5041580
@@markae0Disabling IPv6 like that will not prevent you from being exploited. The fix is to install the latest windows updates (released last week)
Thank you for your videos. They are always informative and usually fun and interesting.
The standard romanization of Chinese, Pinyin, uses X to represent a sound that's closer to SH than Z.
Re: IPv4 and 6, my ISP switched to ipv6 entirely, and when I got a new router, my linux machine, iPhone, and most of my other devices just started using ipv6 exclusively. I didn't even notice until a while later. Pretty cool, given how much of a pain ipv6 used to be. Now it seems to just work. I haven't had a single issue with it
Hi Dave, I have a question, what was first, Dave's Garage or Microsoft Garage?
Insider question!
My company managed Windows laptop asked for a reboot after the last security scan. I'm rebooting now and letting the Windows update complete.
Master Dave helping people help themselves!
I would have IPV6 disable in my builds... except Microsoft says: "Internet Protocol version 6 (IPv6) is a mandatory part of Windows Vista and Windows Server 2008 and newer versions. We do not recommend that you disable IPv6 or its components. If you do, some Windows components may not function."
I've always disabled IPv6 on my systems no matter the OS, as one of the first things during the process of disabling DHCP and setting static IP's on my LAN for ease of LAN gaming and things such as Jellyfin of my personal archive of movies and shows I own on DVD & BD.
One other thing I've done for my network since the rise in Wi-Fi enabled devices is whitelisting the Wi-Fi access to the MAC addresses of my devices and pairing those MAC's with IP addresses at the router (particularly for phones, tablets and game consoles).
For wifi I have... well... several SSIDs, but basically 2 types;
1) Internal access networks have to be approved before being allowed, which means that MAC spoofing needs to be off on mobile devices. And I'm not approving a device until I have poked at it and made sure it has some level of auto-updates and/or antivirus on it.
2) Guest/IoT networks have host isolation, and only route out to the internet. So they get internet access to do what they want, but if they get infected they can't infect everything inside the network. Can't even infect other devices on the same vlan/SSID. Also no access to the media library or other internal resources.
You might, but it's likely that at least 99.99% of users wouldn't even know about IPv6, let alone know how to disable it or why to do it. I've been working in the IT sector for 26 years and wouldn't have a clue about networks past pluging in the cable and hoping it would work. It's just not my area of expertise.
DHCP can be a nice centralized way to hand out those static IPs, without having to reconfigure each device directly. And IPv6 has some security improvements, too.
It can break some things on windows server if you do that even if windows server is not actually using IPV6
My local networks are for a) dumb devices that need internet access, heavily filtered, and B) only able to see the router, client isolation. To be able to talk with other clients you must run a specific IPsec route and if you want internet - another IPsec
The problem is, at least for Germany, the number of ipv6 only services is rising. Other countries which never got a big ipv4 pool, like China as most famous example, are decades ahead in ipv6-only services. So turning it off is not that good.
As far as Windows LANs, with Domain Controllers, are concerned: When ipv6 was active during dcpromo, don't turn it off or you may have extra 20+ minutes to wait until you can logon. Most prominently happened with Small Business Server 2008 and SBS 2011.
I operate IPv4 and IPv6 so that I understand the differences. They are VERY different in terms of how they handle ARP, router identification, DHCP vs SLAAC, multicast, etc.
We're just about to pass the 50% adoption rate in the next year or two -- Windows prefers IPv6.
It's not scary, it's just different.
Please don't discourage its use as even the IPv6 multicast expansion would allow much more efficient distribution of video instead of unicasting IPv4.
Microsoft has not patched any OS below Windows 10, with the excel of ESA Servers. If they patch all old OS that use IPv6, I would definitely recommend patching, rather than disabling.
However, until that happens, bye bye IPv6! 👋😂
excel->exception
Yeah the recommendation to disable V6 is bizarre and out of touch with reality. We aren't living in 4 years ago anymore. V6 is gaining adoption exponentially at this point. Well logistically not exponentially, obviously it can't keep going exponential past 50%.
Can't we all just go back to Netbeui and host files?
Yep, everyone in IT needs to learn, use and deploy IPv6 at this point. All the pushback from people not willing to learn is annoying.
I have spent the last 8 years deploying IPv6 to locations at work as we upgrade routers, no one notices but it sure reduce the size of my IPv4 NAT tables on my firewalls. Over 50% of the internet traffic leaving my network is over IPv6.
We shut off IPv6 by default and only allow it on specific devices that need it.
What kind of router lets IPv6 through unfiltered from outside?! Unless I specifically expose my PC to the outside by creating forwarding routes, nothing from the internet should be able to get in. Just because there's no NAT anymore doesn't mean there is no firewall..
As has been read elsewhere, due to the nature of this thing, at least Windows Firewall is useless as it exploits the kernel on arrival. There are routers that do not filter - your Windows computer can be accessible from outside. Then there are all sorts of mobile devices that connect to the work, home or Starbucks network multiple times a day.
I agree with you in theory, but IPV6 was designed from the ground up for every address to be publicly routable.
Ipv6 was designed to get more information about people using it more than anything. Not surprised it has this problem
...which is exactly what Dave said in the video.
@@ChristopherGogganspublicly routable does not equal to publicly accessible
As a security focused employee of a company that runs on the cloud, I was pleased to realize that we do not use IPv6.
I disabled ipv6 on my windows 10 system and it stopped doing the auto login and also didn't run my list of startup programs, so i then re-enabled it. To be clear, I disabled it on only the one physical ethernet, a 2.5 gb, but not the npcap loopback adapter, or the disconnected 1.0gb ethernet or the 2 vmware network adapter's. It would seem that ipv6 is needed for something here.
IPv6 is the future, leave it on and update your system.
Dave. You're rapidly becoming my favorite cybersecurity channel.
NAT was not meant as a security measure. but it helps a lot.
IPv4 being easy for humans to read, see patterns in, and reason about also helps a lot when it comes to setting up subnets, VLANs, routes, firewall rules, etc. I always feel there's more danger of making a stupid mistake with IPv6.
THANK YOU! Why isn’t this on national news?
Because the news is only interested in sensationalism and headlines to create drama. Most news outlets don’t really cover important technical news, and even when they do they basically report dramatic headlines without context (see: recent CrowdStrike failure).
Journalists don't understand technology nor have any desire to do so. They can waltz around political double-speak all day long, but when it comes to technical matters, they are clueless and call their IT department. Even if they do end up running a story, they are playing the game "telephone" where they are regurgitating what was explained to them but contribute misinformation in the process which causes embarrassment later when they are corrected. In short, they know that they're bad at handling stuff like this, so they don't bother trying.
On the plus side, when you have a shitty isp with no ipv6 support you don't have to worry about this one
Still patch it
You can still have someone connect to your network and exploit the vulnerability. This can happen by just bringing an hacked/infected device to your home or a silent wifi attack. You can even trigger windows to disconnect from your home network and connect to a roge AP to exploit the vulnerability.
So yeah... You have to worry. Patch your systems
@@TigTex Not really a convenient vector when you're wired though. If a guy came into my home them being able to infect my computer by plugging on the router is on the bottom of my concern list.
I'm still going to run the update obviously, but let's be real for a lot of average consumers this isn't that critical, unlike servers who are a lot more at risk.
If you have laptop and connect to other WiFi you will be still vulnerable
That shirt is actually the source code for Steve Gibson's Spin Rite.
6:25 Not just every device on the planet, but every atom... a hundred times over. 2^128 is a BIG number.
Not even close; IPv6 space is 2^128 (=~3e38), the number of atoms in earth is ~10e50. It is a huge number, but it's still 12 zeroes behind the number of atoms in earth.
@@bigboi1004 That's still way too much. That's enough to assign every star in the observable universe it's own IP address a quadrillion times over. I'm guessing the designed it for the interstellar internet. lol
I'm glad this was caught now, rather than later when they decide to no longer do updates for Windows 10.
To be clear, your roof is on fire, and you cannot access your fire extinguisher becauser your cellar is flooded, and your wife divorced but you have to take care of your 99 prescholl kids while working from home. And also pay her for the yoga trainer who is why she left you. That kind of danger level. Ask me how I know!
How do you know?
😂 @@irisaacsni
😂
I'm single and have no basement, so I _should_ be okay then. 💁
@@razeezar Only if you never date on a day ending in a 'Y'.
IPv6 for home users is pretty common in this part of the world (on the ISP side it reduces the scale of CGNAT required because the IPv6 traffic doesn't need NAT'ing). Personally, around 75% of my home traffic is IPv6, and some ISP's see significant percentages of IPv6 traffic to/from their general population of IPv6 enabled end-users. Many ISP's enable IPv6 by default, and provide CPE routers with it enabled by default.
Fine commentary except for the recommendation to 'turn IPv6 off if you're not using it.' IPv6 isn't some bloatware service you switch on or off as needed. It's a core part of the current and future Internet. The transition to IPv6 has been ongoing for some time now but more networks support it every day. There is nothing wrong with the protocol. Any compliant TCP/IP stack should support IPv6 by now. And I would expect all major OSes to support it flawlessly. If that assumption can't be relied on then you probably can't rely on anything else, either.
This should be a top comment. We've run out of available IPv4 address blocks 5+ years ago, so it's only a question of time when more and more services will be IPv6 only.
IPV6 is a failed technology. Adoption has stagnated for most of 20 years, not in small part due to issues like this. Eventually somebody needs to acknowledge the failure and come up with a viable alternative that people will actually use.
Yep, please people, turn on IPv6 and use it. I want to be able to get rid of IPv4 in my lifetime.
@@Pyrazahn Well, yes.... except that in 1996, during a Windows NT networking course, I was given the same scare story about ipv4, and how ipv6 was going to be the panacea. My math tells me that was 28 years ago.
Meanwhile, around the early 2000s, I was working with a large multinational bank (JPMorgan in this case). Coincidentally they had a project to switch from NAT to assigning public ipv4 addresses to every machine on their network. I questioned why at the time in a sort of "why would you want to do that" way. Apparently it was because they happened to have a class B allocation so wanted to use it all up. No other reason. NAT has always been just one of many layers of security on a network, but a dogmatist just wanted to delete it because reasons. Looking back, this can only ever have been a tail-wagging-the-dog IT project.
Nobody even hinted whether it's supported or not. The point was do you need it? And the answer to that also appears to be no, possibly unless you're running a corporate PC. Because all these OSs still support IPv4.
Thanks for the research/info/insights. Discussions of security and privacy issues always appreciated.
Thanks for the info. BTW, Cool shirt! I want one LOL
Dave, i recently came across your channel and listening to you highlight some of the issues with windows and the update issues i've experienced with win10 to the point of one the updates crashing my pc to a point i could'nt recover it without doing a compete reinstall has now caused me to do the jump to linux that i've been wanting to do for many years but wasn't brave enough to jump. The difference is night and day, i installed Linux Mint on my Panasonic Toughbook laptop as a guinea pig and ohh what a difference, i can safely say it wont be long before my main Pc is de-windowed but i will continue to follow your channel as you come up with some very useful gems.
What kind of penetration test led to this vulnerability's discovery? Might be worth setting up a lab for to test things.
fuzzy testing, I suppose
We used to call it cr4p flooding
@@robertvondarth1730 I like it. Google SRE book did go further with making it even duller and calls it "Statistical Tests" 🙃
Thanks Dave for the information. I have applied the latest patches to my only Windows device. It’s at these times, I’m happy to be a “retired “ Windows Server Engineer and not having to work about these patches…
It would help people more if you gave them less theory and instead gave them the practical way to turn off IPv6. Just a suggestion.
Take the CVE code he gave at the beginning of the video and search it in Google you can learn what to do there. If you just want to educate yourself. But, I believe Microsoft has pushed out an update for this…definitely important to keep your systems updated.
I was told in computing class that IPv6 was calculated to 250,000 addresses per every sq meter of earth... Dunno if it was BS but sounds cool.
So disable IPV6 is what I'm hearing. Already been doing it for years.
Also update windows.
Most exploits are done over IPv4.
@@nikizeYes, but most ipv6 happens on ipv6, so I'm going to keep disabling ipv6 whenever I can.
@@samlevi4744also auto-update Windows!
Or you could disable Windows. 💀
Thanks for explaining how this stuff works and how we can help prevent damage to our systems
I turned off auto updates because Microsoft forced the computer to restart even when you are not ready.
its nice to still get updates for the time being. once next october hits, we wont be so lucky if something like this happens again.
How was this vulnerability discovered?
Also, nice shirt Dave
Have you watched the video?
@@kewqieYes I did. Maybe it's my ADD but nowhere Dave mentions what kind of tests were done to discover this vulnerability?
I wonder just how simple or complex the attack is.
I've watched video on exploiting speculative execution and winning race conditions between loops and that all seemed extremely hard to predict as a programmer as a potential threat.
I've also seen the history of breaking console security and I think the most impossible to have predicted as an attack vector was people drilling into an intergraded circuit chip to cut a grounding wire.
I hope in time we get the full explanation of what exploit did. That is assuming this whole IPv6 buffer underrun wasn't just an obfuscation and that has nothing to do with the exploit and was published to mislead hostile researchers.
1:35 What was that random sound effect?
@@asksearchknock Yea but why? Weird.
If I remember right he usually has a like/subscribe animation accompanying that sound.
It is the sound effect attached to his subscribe graphic overlay, however oddly because he adjusted his framing, it seems as if the subscribe graphic was out of frame - a bit strange given that usually zooms don’t affect graphics unless everything is compounded together.
@@JarrydHallIt seems the zooms may be the last piece added, after pre-composing basically the finished video into one object in the editor.
I believe the biggest problem with computers is the tech is moving so fast, IT security is atleast one or more laps behind. AI is just making things infinitely harder for us specialists to keep up with
I am a retired Microsoft Software Engineer and clicked the Do not recommend channel link right after watching the video. Why? Because this is 90% clickbait. This attack is not possible if your Windows machine is not on the internet directly, and for most (all?) of you, your machine is not on the internet but behind a router which creates a local network. Since that router is not Windows, it does not matter if it has IPv6 or not.
And for those of you saying that you need IPv6 in your machines, you do not. Why? Because you are in a local network, not directly on the internet.
Could Windows IPv6 vulnerabilities be exploited on my home network, even I have blocked IPv6 at the home router?
Yes, even if you've blocked IPv6 at your home router, Windows IPv6 vulnerabilities could still potentially be exploited on your home network.
Here's why:
Dual-Stack Devices: Many devices, including Windows computers, are dual-stack capable, meaning they can support both IPv4 and IPv6. This means that even if IPv6 is blocked at the router level, these devices can still attempt to communicate using IPv6.
Hidden IPv6 Interfaces: Some devices might have hidden IPv6 interfaces that aren't visible at the router level. These interfaces could be exploited if they are vulnerable.
Network Address Translation (NAT) Issues: NAT can sometimes introduce unexpected behaviors, potentially allowing for IPv6 traffic to bypass the router's blocking rules.
Third-Party Software or Drivers: Certain third-party software or drivers on your network devices might have vulnerabilities that could expose your network to IPv6 attacks, even if the router is blocking IPv6.
Yet another excellent, timely video Dave, many thanks for that. You do raise a huge issue with the Chinese Government, they will exploit vulnerabilities. Keep up the great work Dave, fab videos. It just reminds me how far we are from CP/M..... :)
"Turn off IPv6 if you don't need it . . . " Thanks for the advice and especially the discussion about if I need it. You could do a service to folks like me with a link to a "how to" video, and some way to tell if it's gone wrong.
As I said elsewhere, 99.99% of users won't even have heard of IPv6 or the bug, let alone know how to turn it off.
Thanks for the great info Dave. I am behind a home NAT firewall, so I turned-off IP-V6 in Windows 10 Pro. Will see if anything breaks, but I don't think my ISP WOW even supports IV-P6. Really enjoy your videos. Keep them coming!
I appreciate you, Dave. :>
A lot of things use IPv6 Internally to Windows and turning it off can break things you never realised would break!
Rule 1: Patch early, patch often. Rule 2: Don't disable any IP stacks unless you really know what you're doing.
Patching often is not solution also cause there’s so many untested updates that end up opening another holes and system instabilities.
@@TheKingTywinLannisterpatching known vulnerabilities is better than opening up to “unknown” ones that are unknown, and likely unexploited
Most of the service providers in Norway offer native IPv6 for all Home users.
Most ISPs will NAT the router as well. You’ll often see a non-routed 10-net address on your uplink interface.
Most people that have IPv6 enabled are in fact using it. Most large internet services (Google, Facebook, Microsoft, and many more) are reachable over IPv6 and it's been the preferred protocol in all browsers. Most if not all home routers that support IPv6 have a built-in IPv6 capable firewall that will block all unwanted connections from the outside. So while it might not be strictly necessary, disabling IPv6 does not enhance security and will harm global adoption of IPv6 in the long term.
As soon as I saw your thumbnail I turned off my Windows PC and watched this on my Linux computer. I'm going to turn my Windows PC back on now and disable IPV6. Thanks for the video. Subscribed 🙂
Lol, that won't help.
Install your damn updates and leave IPv6 on.
I could not stop looking at that shirt. Love it 🎉👌🏼
Fyi: "Google's IPv6 usage reached a new record of 45.28% on September 2, 2023. We are on track to hit 50% IPv6 adoption somewhere in 2024"
Personally I think a lot of that is coming from phones and I don't know how to break that out to windows PCs.
It might help when all ISP's start to use it... My current one (a large supplier in my country) doesn't for residential accounts.
*"Get the latest updates as soon as they're available... be among the first to get the latest non-security updates, fixes..."*
Dave,
I took your advice and turned this on, albeit a little perplexed that it said "non-security updates" and then the update was... "Security Intelligence Update for Microsoft Defender Antivirus..."
Well, of course!
The problem is Windows updates are disruptive and have broken Windows in the past, so it's hard to trust them. Also strongly disagree with disabling ipv6 - any changes from the defaults at this level are going to possibly create problems that either aren't obvious or don't have obvious fixes/relationship to the action of turning off ipv6.
Completely agree with Windows Updates. However, you usually can download the specific update related to the vulnerability as an exe (or similar) online. I have not checked for this particular vulnerability yet.
Disabling IPv6 can always be undone if you notice unintended effects.
Completely agree with your take on Windows Updates. Very disruptive and feature breaking.
@@johne9898 the average user may not even associate whatever has broken with the action of disabling ipv6. Things don't always break in obvious ways.
Unfortunately, one of the patches deployed in the past couple of days brought my system to a crawl. And when I say crawl is that a build script that normally executed in 18-20 seconds suddenly took 2:45-3.00 minutes! Had to uninstall them and hope that people with time on their hands have the same issue and get it fixed.
Ahh, its great living in denmark. IPv6 has almost no market penetration.
...but the trade off is socialism. 😂
@@1369usmc I believe it can work in ethnically and culturally homogenous nations - as demonstrated by Scandinavian countries.
If you Dual Boot with Linux, DON'T update yet!! The SBAT is preventing Linux from booting. Microsoft claims that it should not have any impact, but there are increasing reports of people getting the error: "Verifying shim SBAT data failed: Security Policy Violation. Something has gone seriously wrong: SBAT self-check failed: Security Policy Violation"
This is EXACTLY why I disable automatic updates in Windows and read up on what is being patched first. If you are a Dual-booter who already installed the update, there is a work around by disabling your secure boot in the BIOS, login to your Ubuntu and delete the SBAT Policy in terminal by entering: sudo mokutil --set-sbat-policy delete
You should make a program that fixes half of the problem then nags the user for money to fix the other half.
That sounds like a job for Norton and MacAfee. 😊
Thank you DAVE... Agree with you about the China reacearch syndrome's research vulunerablity. A 0 click is definitly a major problem, on devices...😮
The good-ish news, it's almost impossible to actually turn off Windows Update on Windows 10. I've tried. It always gets turned back on....
I finally gave up, but I know there's downloadable stuff out there to actually do it....but I decided to live with it.
... there is a way to prevent a windows update.
Easiest way to prevent Windows update in uninstall it and use Linux.
Yeah, there's ways.
there is an easy way to do it with group policy or using a simple registry file with the correct values
each of these registry settings are available as a group policy - changing one also changes the other
-
where you see - 2024-07-30 - - if you put today's date in there - and load this to your registry - your windows updates will be paused for 6 months
-
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate]
"ExcludeWUDriversInQualityUpdate"=dword:00000001
"DeferFeatureUpdates"=dword:00000001
"DeferFeatureUpdatesPeriodInDays"=dword:000000b4
"PauseFeatureUpdatesStartTime"="2024-07-30"
"DeferQualityUpdates"=dword:00000001
"DeferQualityUpdatesPeriodInDays"=dword:0000001e
"PauseQualityUpdatesStartTime"="2024-07-30"
- or to resume updates -
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate]
"ExcludeWUDriversInQualityUpdate"=dword:00000000
"DeferFeatureUpdates"=dword:00000000
"DeferFeatureUpdatesPeriodInDays"=dword:000000b4
"PauseFeatureUpdatesStartTime"=""
"DeferQualityUpdates"=dword:00000000
"DeferQualityUpdatesPeriodInDays"=dword:0000001e
"PauseQualityUpdatesStartTime"=""
@@johnarnold893 it has occurred to me for sure....kinda tired of all the bloat.
I've generally not adopted IPv6 across my networks, as I don't have loads of machines. My service provider on the other hand...
Dear Dave, disabling IPv6 is a horrible horrible idea, almost 50% of US IS using IPv6, even if it in many cases isn't required, but will you take responsibility when it is?
Most exploits these days are done over IPv4, so you are better of by disabling that first.
Where did you get your statistics? Disabling services, protocols, etc. that aren’t in use should be common sense. I’ve never used IPv6 on my home network because literally nothing requires it. And so, yes, it’s disabled and no, that’s not horrible.
Waiting for months Windows outlook or edge to remember my logins to microsoft account. Two devices.. same issues. Love it.
Another day another severe windows security vulnerability
In the Linux kernel alone, 1,600 vulnerabilities have been reported since the beginning of the year. 7 per day. Only in the kernel. And what does that prove?
Disable IPv6 as a solution is the equivalent of telling people to disable IPv4 because most of their sites can be accessed over IPv6 anyway.
IPv4 is technical debt. More and more countries are experiencing shortages that pretty much makes IPv4 unusable. AWS is now billing every IPv4 per unit and techs are being developed so you only need one stack on the net (v6. And a sort of nat to v4 to get to legacy websites. Already happens on some mobile nets.)
Saved by my ignorance: Haven’t seen any use for IPv6 in my personal environment (yet) so since Vista it’s the first thing I disable on all my devices.
Me too
I've been disabling the IP Helper service that processes IPv6 on clients' PCs for years. Talk about foresight! I was doing it to reduce bloat on underpowered hardware, but I'll take that win...
Next video, how to turn off ipv6?
You could google it and find the answer before Dave even wrote the first sentence of the script for that video. I don't get the logic here.
@@V1CT1MIZED like most things in Windows, it isnt simple to do, just turning it off in the network configuration doesn’t completely disable it, it isnt an easy thing to do fully
thank you Dave!
these "heads-up" moments are priceless :)