Oracle forms application running as a Java applet in IE is always fun thing to work with..... And the 2nd best thing is having like 2 page manual on intranet how to hack it to work....
Usually you set this up to only open up certain pages in IE mode and not all pages which makes it much harder to exploit. At least according to my experience
If configured correctly then Edge will not use IE mode except for specific sites that are put in to a list of sites that require IE mode, such as an intranet site. If not using a centrally managed enterprise list of sites for Edge in IE mode then sites in the browser managed list expire after 30 days. Clicking a random link is somewhat unlikely to send you to Edge in IE mode.
Yeah, an average person has no idea what goes on in their bank, Edge IE mode is pretty modern compared to the 100s of legacy mainframe systems. Also as many people already stated, no way you gonna open a wrong link in IE mode unless something is wrong on org settings level.
@@DefinetlyFamillyFriendly I work for a large enterprise in health care... we have a IE mode entries in our EMSites list. This is very common in enterprise for support of older software or internal websites.
@@DefinetlyFamillyFriendly Most EMR and EHR (if not most, it’s still a LOT of) only works on IE. Honest to god it destroys my soul every time I have to configure a Device Configuration profile in InTune for a client that opens up and enforces Edge in IE mode, adding all the providers URLs to the trusted sites list… Madness… Edit: rereading my comment, it sounds like I am trying tell you something you don’t already know. So my bad, was just a general statement
"Microsoft, this is seventh time in a row you're showing remote code exploit to the class" - Somebody once told them to do what they're good at, and they took that advice to heart. The problem for us is that they're good at being insecure.
People have no idea how much of the world runs in legacy mode. Edge IE is one of the requirements for the world to run. Large companies usually only change what makes money. We are still migrating to github at work
"Nobody uses Edge in IE mode" My career installing electronic security and servicing 10+ year old PoE cams needing ancient obscure ActiveX plugins to manage them says otherwise.
Do those actually run on the wider Internet? Because I know people use IE mode for intranet stuff, but a website designed for IE mode would fail for 95% of users.
It's funny you state that no one uses Edge and especially not Edge in IE mode - meanwhile I work for a large, well-known corporation whose handful of extremely important internal applications are incompatible with Edge and can only be run in IE mode...
Had that with infrastructure equipment like switches in really big companies. Their stuff was so ancient that you either had to download a reaaaaaaaaaaaaaaaaaaaaaaaaaaaaaallly old firefox version or use edge in ie mode
If configured correctly then Edge will not use IE mode except for specific sites that are put in to a list of sites that require IE mode, such as an intranet site. If not using a centrally managed enterprise list of sites for Edge in IE mode then sites in the browser managed list expire after 30 days. Clicking a random link is somewhat unlikely to send you to Edge in IE mode.
A major bug in the TCP/IP stack is not at all surprising, Microsoft is the same company that never bothered to fix a bug in Windows 8.1 that would cause the TCP/IP stack to break after about 30 minutes if you used a Wi-FI driver compiled against Windows 8.1.
What does compiling against mean? Compiling the driver to run on a specific version of windows? Also shouldn't there be tons of Wi-Fi drivers out there from different Wifis manufacturers?
@@mattmurphy7030 I would have thought that windows has pretty good backwards compatibility and assumed that you don't have to maintain the same driver across multiple windows versions. That must suck. So there is a single global wifi driver pre installed in windows 8.1 that works for all wifi manufacturers and had that bug you were talking about?
@@ArkenGAMESnah it's that Microsoft broke the dependencies that WiFi device manufacturers use to build the firmware blobs into installable Windows drivers so that when the driver installs regardless of the manufacturer it will break Another reason the driver should be presented at the kernel level and treated sincerely as such, rather than slapping them on willy nilly
IPv6 is disabled on my machine because it wouldn't play nicely with Outlook... So a bug in one product, saved me from a security vulnerability in another 😅
@@howelon3099 7:44 So you interpreted "Systems are not affected if IPv6 is disabled on the target machine." to mean "Systems *are* affected even if IPv6 is disabled on the target machine." or am I missing something...
@@erikb4407 Well when I read the original writeup it said even if ipv6 is disabled the packets bypass the firewall anyways and will execute the said packets/code. Maybe this is referring to something else?
@@howelon3099 If you look at the original writeup on the microsoft website for this specific CVE, it says under *Mitigations* _"Systems are not affected if IPv6 is disabled on the target machine."_
Fun fact: Another language in the “BOL” tradition - SNOBOL4 and SNOBOL5 (Oregon) has ancient syntax but awesome feature set for text data extraction and parsing, and is very much useful today. It may have COBOL vibes but wowzers is it miles better than trying to use regexes to extract data from non-regular-language input (CrowdStrike cough cough).
@kensmith5694 there's a couple of banks near me offering damm good money for students to do COBOL, apparently saying their last few programmers are in their 60's and 70's(!), and have returned to work after retiring some years ago. They paid for eye surgery for one lol 😆
Oh yea, if you want a idea how dire their situation is, heck a cold winter could finish off their COBOL team 😬 the local Unis allow them to come it at fresher week and say to the Comp Sci students can you see yourself doing this? There's a paid 'apprenticeship' right this way if you do.... but every week that you learn more about new stuff you get further away from where we need you to be, so come now No other companies get that opportunity
I know it isn't really relevant to to the discussion at hand, but saying IPv6 has "billions and billions of addresses" (9:48) is just a *crazy* understatement of how many addresses IPv6 has. It's IPv4 that has "billions AND billions" - about 4.3 billion, in fact - while IPv6 is more like "billions OF billions… OF BILLIONS… of addresses *for each IPv4 address*". If you assigned an entire IPv4 worth of addresses, to every human who has ever lived, once a second, it would take about 21 BILLION YEARS (or about time and a half the current age of the universe) to exhaust IPv6. That is a BIG address space!
Plenty of things use it in the enterprise space… “we either have to upgrade the LOB system and pay a ton of cash… or set GPO to automatically open these in IE Mode.”
Interesting fact: MS at some point took the TCP/IP stack from OpenBSD because they lost knowledge of their own sourcecode. Yet they still fucked up something robust anyway. There is also a story that they asked the Samba project to help them with their SMB protocol code because they also lost the knowledge. They refused because MS wasn't willing tho share information in the past.
correction (5:10): the OSI model is a reference model and not actually used in practice. the TCP/IP model is used in practice, though OSI is taught as it's a good entry point into networking.
*What a shame that companies never have to take responsibility for grossly negligent behaviour. You know: router manufacturers who set the admin password to ‘admin’ because they think it's better than ‘1234’. *Such a law would be great, because then Microsoft would have to pay the customers, because M$ collects even critical error messages hundreds of thousands of times - and ignores them.*
@@jagdtigger perhaps my point was missed, I was hoping to point out that users often do not get a choice what router they can use, I sure don't. I have 2 ISPs in my area, and one is DSL and would go out on an hourly basis, and when it did work it had less than 1MBPS download. So, I've realistically got only one option for my ISP. They refuse to service any router which isn't theirs, and their routers are extremely locked down. I don't have an option
@@Tenetri it is, also take a look at the android security bulletin, yeah, it's udp in general, buuuuut, probably easier to exploit with ipv6, there was an unauthenticated, remote code execution in Android's network stack, too
@@Vitis-n2v Or rather, it's because Ed is actually in a Windows VM to avoid getting his real fingerprinted get identified so he can protect his privacy.
I don't either. I'd rather have my data be stolen by microsoft, google, and other large companies than some unknown browser extension. I don't have ANY browser extension at all. I used to have quite a few and a well-known one in them got hacked one day and I believe it stole my credentials from sites. So I had to change my credentials and reset my computer. Chrome extensions can't really be trusted. The Chrome web store, most obviously, doesn't work like the google play store. Nothing is reviewed on there and there are no constraints over what the extension can access, obviously because most extensions need to access site data such as dark mode readers, and ad blockers, for example.
LLL: "No one uses Edge in IE mode." The comments section: "You just activated my trap card!" Large companies: "Guess I'll die" Banks: "First time?" Me: *grab popcorn*
I used to work for a company that was using IBM's SAP HR platform which required all the computers to be versions of windows that still supported full IE (so it was Windows 7 across the board), not to mention it had an antique Java backend
"Crowdstrike: The 'Patch Tuesday' is not even close to 'Stranded Friday.'" - I can't say I agree with that. I would much rather have my computer crash and refuse to boot than have a malicious actor take control of it remotely, especially if they can do so without any user interaction.
1:40 I can't speak for everyone, but there are some systems I have worked with that still require the compatibility mode for their web app to function, and this is in Health Care, although it may not be many, the impact that could have on patient privacy needs to be taken into consideration
1:40 "no one uses Edge" I would like to point out -- for all it's flaws... *MS* does a *FANTASTIC* job with the *READ ALOUD* function it is TOP TIER ! ! !
yep, use that too, to check on my own documents. You can read across missing words, but hearing it read aloud you spot all the things the spelling checker misses.
Likewise. Other than networking that is invisible to us end users (cellular data), I don't actually know a single person or company that I work with, that is using IPv6. I know that's not how things are everywhere, but like... _both_ times in a couple decades of being in IT that someone has asked for support with IPv6, I've had to go back .. again .. and learn it all .. again .. because I never ever have to use it for anything. Part of me is curious whether the sluggish adoption is inevitable (if you have something that works, why bother?), or if it's just because IPv6 is a convoluted mess of a stack that changed so much more than it needed to, and the lack of uptake is more because no network engineer wants to deal with it if they don't absolutely have to.
@@originzz one of their access paths likely Waa discovered. Let's not forget that your: CPU Gpu Bios Cables TV Phone Entire life is backdoored. There is no privacy, soon we will see covid & 1940s esque neighbours snitching on neighbours and anyone they can in order to win favour with big brother. Dangerous times ahead
Plenty of people use Edge. And even those who don't, still have times where they use edge, because windows continues defaulting links into Edge regardless of your chosen browser. And as others have said, there are many corporates that still rely on legacy IE mode for Edge. Saying "noone uses Y" is weird in a world where Southwest Airlines was able to escape the Crowdstrike issue solely because their systems are all Windows 3.1 or 95 and where banks are still running Fortran-based systems.
@@trail.blazer I doubted that would be true and that it would probably just emulate IE like changing the user agent header and a bunch of other compatibility settings but you're actually right it ships with the "Trident MSHTML" browser engine that was first released in 1997, and apparently that means a bunch of new web standards totally wont work. Microsoft is wack. I do not envy anyone who has to maintain software made for IE mode, must be a pain in the ass.
@@BlueBetaPro Is it really Microsoft that is wack? The reason Microsoft is providing it is that there are ancient pieces of software only compatible with it. So it’s the enterprises using such software that are ‘wack’, if anything.
@@abcdqwerty3562 I know it's not wack to provide the backwards compatibility in the first place but it's the way that they went about it from a technical perspective that sounds wack. From a web development perspective it's really incompatible with modern standards despite being in a modern browser, and from a software development perspective it's lazy to include something that I assume is quite a large binary/library into the application just to provide a little bit of backwards compatibility.
The number of users is inflated as Microsoft force edge to launch by overriding default settings Plus Windows 11 silently uses edge to run user-implied search requests
"Systems are not affected if IPv6 is disabled on the target machine." Oh, so basically every Windows machine I've had to touch is already unaffected. IPv6 is one of the first things I disable on any machine and I have never needed it in local network environment.
This reminds me if the issue back in the day, with Windows XP SP1 called "Raw Sockets". This was a vulnerability that allowed attacker to attack a system remotely, outside of the standard TCP/IP protocol and allowed attackers to be able to manipulate both the Transport and IP Layers. It was kind of a big deal back then and a major reason why, Microsoft implemented a firewall in Windows XP SP2.
Love your channel, I am fairly technical due to my career and interests in computers and so I enjoy how you recap stuff, explain stuff but also don’t go so far as sucking eggs. Subscribed!
So many comments about Edge & IE when there's a CVSS 9.8 RCE in TCP/IP. Corporate machines will get patched pretty quick, the concern will be those "unpatchable" devices, since we need to assume this bug has existed in the codebase of older OS, IPv6 is fully routabble, edge security may not be blocking the affected traffic, and patch reversing is a whole thing for motivated attackers & curious minds.
Correction regarding the IPv6 reach-ability topic. The true protection we get from NAT is the statefulness capability that it forced on dinky home routers. that same statefulness also protects IPv6 hosts, regardless of whether they have an internet routeable address or not. If the connection didnt initiate from my host, it doesnt matter that you can guess my IP. if it _did_ initiate from my host NAT won't protect me from those dodgy packets. This particular vuln would be most effective in places where a host is not behind a firewall or where the malicious actor is already behind the firewall. roaming wifi, some cellular networks, weak govt agency networks, that sort of thing
in other words: how would these "carefully crafted" malicious ipv6 packets even reach my pc if adsl modem/router has all ports closed? and pc has firewall. in that case i have to click something, somewhere...which is same as openiong suspicious mail attachments.... so....not really 9.8 of 10 vulnerability with all those factors. and...well....i'm not on ipv6 anyway.....i hear half the germans are....hehe.....
@@ivok9846 IMO it's still a 9.8. I don't think CVEs should assume anything about local networks when assessing risks. But for the rest of us, its an important reminder that stateful firewalls are useful, IPv6 does not equal direct internet access and maybe stay away from MS Windows.
So, in other words, to take control of a Windows system which has IPv6 enabled, an attacker simply needs to know the IPv6 address of a target machine and send a specially-formed packet (or series of packets) to it. The saddest part of this is not that this vulnerability exists, but rather that it's not surprising. Microsoft (and all other companies) needs to either fire all of its programmers for negligence or stop releasing software until they patch all of the existing security vulnerabilities and audit the software to find all vulnerabilities that are currently unknown (and fix them, too). It's infuriating that virtually nobody who writes software thinks of security as a priority. Security should be the top priority, far ahead of performance and "how quickly can we get this product released".
Hey, Low level learning, just wanted to inform you that, on your academy website, the original price in the price discount for lifetime access is incorrect (or at least, it states that the normal price is 197 and the new price is 319, which would certainly push me to wait till September 2nd ;p)
The problem is that hackers use these patches to see what Microsoft is patching and then reverse engineer and/or start investigating the code that is being patched and discover how to use the exploit. I give it a few days before the IPv6 TCP/IP stack *is* being used to exploit systems in the wild. Patch or disable IPv6 on your NIC interfaces NOW!
As an IPv6 stan this saddens me! Knee jerk reaction will be to turn off IPv6 and never turn it back on. IPv6 does have a private address range. Hopefully router manufacturer default will be to use these addresses and not a public addresses for your LAN Link-Local addresses are a god send when a remote device gets replaced with a spare and you get the call that it's not working.
No, please. Do not use IPv6 private ranges. They are there for a legacy reason. Your router should use DHCP-PD to ask for a range from your ISP. Then your router will announce that range via SLAAC to the internal networks. IPv6 is designed to not need DHCP server. The concept of public v private is a characteristic of your firewall. Your internal networking being publicly routeable doesn't mean they are publicly accessible.
@@Lue30499 I will never, ever understand this ridiculous notion. "Let's not have private addresses anymore! YAY! Everyone is directly on the Internet!" and it's equally daft companion ... "NAT is not security!" Except _it literally is._ If you're not reachable directly via the Internet, you are not vulnerable to exploits that attack you ... directly ... from the Internet. The route just does not exist. "So use a firewall that blocks incoming traffic." And that's fine. _If you do it._ With IPv4, and the near-ubiquitous usage of NAT imposed by the IP shortage, there was basically no choice. Everyone was behind a one-way filter by a matter of course. With IPv6 ... eh. It's optional. The problem with that, of course, is that.... _it's optional_ ... and therefore, it _will_ be turned off. (Or just never turned on.) More to the point, you won't necessarily know, because it works either way. IPv6 has gazillions of IPs. There's no need to conserve. But that doesn't mean NAT isn't still a really good *layer* to have in the security stack. Removing it from conventional network design was the dumbest freakin thing about IPv6. And there are a lot of dumb things about IPv6.
@@Lue30499what meaningful difference does being publicly routable make if it doesn't allow packets the user may not have expected or prepared for to reach the device?
I thicked ever insecurity box: - A stupidly large number of open ports. - Having SMB (v1) enabled all the time. - Turning off antivirus always. - Questionable custom Firewall rules. Turns out randomly choosing to disable IPv6 would actually save my ass.
Many companies use Edge on their managed operating environments (MOE) for Windows Clients and indeed Servers, and in fact we actively have been removing Chrome due to all of the security vulnerabilities that is was getting compared to Edge (issues not related to the common Chromium compoent). When you have to do regular patching cycles and off-cycle urgent securty patching for many different software tools (Microsoft, Google, Adobe etc), it makes sense to consolidate the number of update points if you can, without impacting the users' ability to work effectively. It's more efficient and easier to maintain. No real need for Chrome in a Microsoft Azure environment, for example, unless you have some wierd software that is somehow dependent on Chrome (highly unlikely situation since Edge move to Chromium though). I am not saying that that Edge is better than Chrome al the time, but it is better in those type of corporate situations. Obviously IE Mode is just asking for trouble, but this can be locked down using group policy.
Except unless your Grandma is somehow still managing to use XP or Win7, she IS PATCHING, whether she bloody likes it or not, pretty much every time she turns on her computer.
@@SreenikethanI i mean how is someone just using whatever came with their pc patching, the os stopped getting patches, i dont imagine them manually going through the kb catalogue, just disabling update notifications
@@burtburtist Because Windows automatically updates (and forces restarts), and you cannot override this without knowing a decent bit about computers. The only way a Windows 10+ computer wouldn't be updating is if it isn't online. But then it isn't vulnerable.
@@ZipplyZane thanks for the actual answer, i didnt consider it working as intended i guess, the windows 7 failing to update bug seems pretty common, and im pretty sure 7 was no longer getting updates anyway, forgot if the update to 8 then 10 or whatever was truly automatic but its been a hot minute since ive run 7 myself.
one thing that really gets me. Why is consumer, programer, and buisness service windows the same windows? Seems like Microsoft is inviting problems. Its one thing to have cross compatability, its another to try and make the same product for all of them
Unless I'm mistaken, a webserver can force edge into IE compatibility mode with http headers. So if a user goes to such a site while using Edge and clicks a malicious link, bad things can happen.
Doing a ping-sweep on IPv6 is a little like the SETI mission statement. There's gotta be somebody out there somewhere.... right? I guess bounds-checking code in the IPv6 stack is down there on the priority list, when having malformed packets hurled randomly at your machine from the ether would be an event so novel that it might inspire the plot of a science fiction movie.
well a quick google says you get roughly 2.5 pow(21) IP addresses per grain of sand in sahara, still way way to big to visualize. given that 7506320 grains of sand per sqf, and average depth of sand is 200feet. Some large numbers like this, what is understandable is that we no longer need NAT :D
If you want to pick up a necessary skill (that should be in first semester but wasn't truly mentioned at my uni except in electronics engineering): "Practical UML Statecharts in C/C++ - Event-Driven Programming for Embedded System". Nothing complex or trendy, just a great book explaining the skills one should have. Pricey though, it's that luxury CRC company (and suddenly you understand why Godot is doing what it does in the way it does it)
"No one uses Edge." Well, that's not true. They based it on Chromium and a lot of people no longer have any resistance to the MS pressure to use it, so use of Edge is increasing. "No one uses Edge in IE mode." Oh, bless your heart. You've never worked in the DoD. I'm sure you'll feel really safe learning that a LOT of DoD systems are outdated and can only be accessed using IE or Edge in IE mode.
That fundamental difference between IPv4 and IPv6 you mentioned, about routing and NAT, is a really good reason to disable IPv6 on every device unless it's really necessary. IPv6 was introduced to solve the problem of running out of addresses, but everything still has an IPv4 address, right? So we haven't actually "run out" yet? In other words, NAT solved the problem. Are there any IPv6 only networks i.e. where IPv4 is unsupported and IPv6 is therefore the only option? If IPv6 is really necessary, there must exist IPv6 only networks, otherwise logic says it's not necessary.
A lot of people hated NAT and welcomed IPv6 back when it was first introduced. I was still at high school or uni back then. Can't believe NAT nowadays are desired for the security side-effects. Wish Internet were less hostile like the old days.
Honestly it's really weird how he seemed to imply a lack of firewalling for IPv6 would be the user's fault. Obviously that's a terrible default -- no NAT != no firewall. I'm sure there are some sloppy routers out there that do that, but I should also add my own anecdote of a router whose IPv6 firewalling was so effective you couldn't disable it at all; turning of the firewall only applied to IPv4. Also very annoying, but at least it's secure.
@5:28 I'd like to comment that TCP/IP is older than the OSI model, and as such, the OSI model is at best not super helpful and at worst completely misleading. Layer 1, 2 and 3 still kind of fit but it doesn't really match where TCP or IP sits in all this.
Yeah, I wish they'd kill the OSI model. Layers 1-4 are useful, but 5-7 are OSI specific. They *sometimes* align with certain things, but they're not formalized into the network stack like OSI required. The OSI network stack is dead. We've robbed its corpse of the few good things it held. Bury the model with it and move on.
@@jeffspaulding9834 Yes please! If there are protocols or environments that fit the entire model, I've never seen it and I've never even heard of it. I'm from a time where I've still seen IPX/SPX used in medium sized organizations, or where token ring had just been phased out. I'm happy with TCP and UDP over IPv4 and honestly still confused about IPv6 so as far as I understand the OSI model is not helping anyone except for (for me) the first 3 layers.
@@Gersberms OSI protocols definitely existed and were used mostly in Europe. But the vendor support just wasn't there. TCP/IP was available on UNIX, had commercial network hardware available (notably, Cisco), had lots of software that could use it, and was in active use in the US. The various X.25 efforts in Europe just couldn't catch up, and eventually all the OSI-based networks switched to IP or shut down. The Wikipedia article "Protocol Wars" has a good summary of the timeline. The model's useful for training people to think about the various layers in a protocol stack, but the requirement that all seven layers be formalized just doesn't line up with reality. I regularly work with protocols that push priority data all the way down to Layer-2, for instance (Profinet, Ethernet/IP) and the rigid OSI stack requirements aren't flexible enough for that.
To be fair, the two bad things to take away from this video is: 1. IPv6 forgoes a major advantage of public vs privet networks. This is honestly a bigger security issue. Why were this logical easily defended boarder considered unnecessary? 2. TCP/IP on Windows for IPv6 is currently insecure. Ie, two compounding issues that honestly makes the whole situation worse for most people. But at least a lot of people don't have an IPv6 address to start with, since a lot of ISPs haven't yet adopted such, despite it soon being 3 decades since its inception.
Can you explain the new AMD CPU buck in detail. It sounds super complicated, but it also sound like you are in trouble anyway on a machine if you can be effected by this buck. But a vulnerability that stays on your pc even after you reinstall your OS just sounds bad 🙁. But I think it could be interesting to take a closer look.
Man ngl I think I got hit by one of those, and I still have the motherboard (an amd b450) but have not quite been able to figure out how to diagnose the thing without infecting more USB drives with whatever was on it. So as far as I got, was basically that it has the capability to propagate via USB drives without any user interaction (just by plugging it into the powered on motherboard). Drives used in my testing/troubleshooting/analysis lost all ability to be reformatted too. Idk if that's from the same exploit or vuln you mentioned but it sounds like what I had happen.
@@apIthletIcc The USB issue is something else and I don't know how to test if you have this issue. The AMD CPU one that I am talking about, I think they call that Sinkclose vulnerability. 🤷♂But they are similar, just for CPU's.
Same here. I use a tunnel from Hurricane Electric, which works great except that Google makes you use a captcha because it's flagged HE's entire network. You can get a /48 and several /64s for free.
I am using edge exclusively at work now. The IT download group policy for some reason hasn't spread to edge yet while they have it on Chrome. Which is one the reasons I switched to edge. There are other out of the box user intuitive features on edge. But yeah, all in all, I have been using edge for a while now at work.
A few points: The OSI model doesn't properly map to TCP/IP it has more layers and for instance IP doesn't have a dedicated data link layer as ethernet provides data link and local networking while IP provides networking between ethernet networks. There are actually multiple TCP/IP models that have been created over the years they are all generally better than the OSI model. While IPv6 allows for people to operate without NAT my ISP doesn't support it so I'm not aware of what a normal configuration is. Are ISPs actually giving out routers that allocate globally routeable addresses to every network device without a default deny firewall in place? if that is the case this CVE is the tip of a very insane iceberg . I think the biggest problem is for large corporate networks that use windows. Someone falls for a phishing attack and runs an executable they shouldn't and then every computer in the network can be hosed without the need to even escalate to admin rights (assuming the attack doesn't require raw packets which would require admin rights to send in which case you just need local admin on a single device and a priv esc and the whole network is pwned.)
no way haha anyway, you should go learn to code at lowlevel.academy (hehe)
way
You’ve sold out man. Letting these dodgy sponsors into the channel…
No way. Big if true
Why don't you use adblock?
An IT guy that gets ads in his browser? WTAF? 👎
"Nobody uses Edge in IE mode"
*allow me to introduce 20 year old corporate web apps*
Lemme introduce Opera 5, Oracle shittiest app that runs on IE mode.
This is 100% true
I was gonna say.
I can already smell the next big wave of ransomware. 😭
Oracle forms application running as a Java applet in IE is always fun thing to work with..... And the 2nd best thing is having like 2 page manual on intranet how to hack it to work....
A ton of people are still using Edge in IE mode, and they are all part of large companies.
So ultimately the end user is safe but isn't because a company that has their personal data is gonna get hacked.
Usually you set this up to only open up certain pages in IE mode and not all pages which makes it much harder to exploit. At least according to my experience
@@benargee And if you know nothing about computers, you are going to copy those settings at home, "because they work"
If configured correctly then Edge will not use IE mode except for specific sites that are put in to a list of sites that require IE mode, such as an intranet site. If not using a centrally managed enterprise list of sites for Edge in IE mode then sites in the browser managed list expire after 30 days. Clicking a random link is somewhat unlikely to send you to Edge in IE mode.
I'd wager a lot of people who have Crowdstrike have Edge in IE mode...
LLL: "no one uses IE mode"
Banking companies / check scanner systems: 👀
those use the original IE on Windows XP, and no, I'm not joking, just have a closer look at your local ATM, you will be surprised ...
I could not believe that a bank is still using IE mode for scanning checks for payroll ... its so odd ... I had to support this garbage
Once my mother was using an ATM here in Brazil and when she finished what she was doing the ATM showed a windows xp shutting down screen.
I was so happy when they moved from IE6 -> IE8.
Yeah, an average person has no idea what goes on in their bank, Edge IE mode is pretty modern compared to the 100s of legacy mainframe systems.
Also as many people already stated, no way you gonna open a wrong link in IE mode unless something is wrong on org settings level.
"Nobody uses Edge or Edge in IE mode" Oh.. sweet summer child...
@@DefinetlyFamillyFriendly I work for a large enterprise in health care... we have a IE mode entries in our EMSites list. This is very common in enterprise for support of older software or internal websites.
Some of the most widespread SCADA systems feature web servers that can only be accessed with IE
So many tech RUclipsrs, especially security focused RUclipsrs have this cringe ignorance, it’s a lack of real world experience I think.
@@DefinetlyFamillyFriendly Most EMR and EHR (if not most, it’s still a LOT of) only works on IE. Honest to god it destroys my soul every time I have to configure a Device Configuration profile in InTune for a client that opens up and enforces Edge in IE mode, adding all the providers URLs to the trusted sites list… Madness…
Edit: rereading my comment, it sounds like I am trying tell you something you don’t already know. So my bad, was just a general statement
My last employer only deprecated that because they HAD to, not because they wanted to. Required an entire backend change.
Microsoft, this is seventh time in a row you're showing remote code exploit to the class
"Microsoft, this is seventh time in a row you're showing remote code exploit to the class" - Somebody once told them to do what they're good at, and they took that advice to heart. The problem for us is that they're good at being insecure.
People have no idea how much of the world runs in legacy mode. Edge IE is one of the requirements for the world to run. Large companies usually only change what makes money. We are still migrating to github at work
"Nobody uses Edge in IE mode"
My career installing electronic security and servicing 10+ year old PoE cams needing ancient obscure ActiveX plugins to manage them says otherwise.
Do those actually run on the wider Internet? Because I know people use IE mode for intranet stuff, but a website designed for IE mode would fail for 95% of users.
Or silverlight…
@@SomeDudeInBaltimore ActiveX, yeah that was too many Exes ago to remember
It's funny you state that no one uses Edge and especially not Edge in IE mode - meanwhile I work for a large, well-known corporation whose handful of extremely important internal applications are incompatible with Edge and can only be run in IE mode...
Had that with infrastructure equipment like switches in really big companies. Their stuff was so ancient that you either had to download a reaaaaaaaaaaaaaaaaaaaaaaaaaaaaaallly old firefox version or use edge in ie mode
same...
The fnсk is the large well-known corporation whose handful of extremely important internal applications REQUIRE IE IN 2024. Clients need to know XD
@@zyplocs is it Delta or Cloudstrike? 😂
If configured correctly then Edge will not use IE mode except for specific sites that are put in to a list of sites that require IE mode, such as an intranet site. If not using a centrally managed enterprise list of sites for Edge in IE mode then sites in the browser managed list expire after 30 days. Clicking a random link is somewhat unlikely to send you to Edge in IE mode.
"Nobody uses Edge in IE mode"
Laughs in Corporate IT
2:25 „it’s just another Tuesday for Microsoft“ xD
_For you, the day Microsoft ruined your security was the most important day of your life. But for me, it was Tuesday._
At least it ain't Friday.
"Yes, master. They left an interpreter in the TCP/IP stack that can be fed instructions directly from the packet"
"Good. Good."
A major bug in the TCP/IP stack is not at all surprising, Microsoft is the same company that never bothered to fix a bug in Windows 8.1 that would cause the TCP/IP stack to break after about 30 minutes if you used a Wi-FI driver compiled against Windows 8.1.
What does compiling against mean? Compiling the driver to run on a specific version of windows? Also shouldn't there be tons of Wi-Fi drivers out there from different Wifis manufacturers?
@@ArkenGAMESeach version of windows has its own SDKs (DDKs in the case of drivers)
@@mattmurphy7030 I would have thought that windows has pretty good backwards compatibility and assumed that you don't have to maintain the same driver across multiple windows versions. That must suck.
So there is a single global wifi driver pre installed in windows 8.1 that works for all wifi manufacturers and had that bug you were talking about?
There's also the WSAPoll bug and they didn't care until Win10 was released.
@@ArkenGAMESnah it's that Microsoft broke the dependencies that WiFi device manufacturers use to build the firmware blobs into installable Windows drivers so that when the driver installs regardless of the manufacturer it will break
Another reason the driver should be presented at the kernel level and treated sincerely as such, rather than slapping them on willy nilly
For some reason I read the title as "microsoft patches IN extreme vulnerability" and I wasn't even surprised I was just curious what it was
@@kissgergo5202 underrated comment
its their new crypto AI skibidi toilet update. it buzzwords your software and such
IPv6 is disabled on my machine because it wouldn't play nicely with Outlook... So a bug in one product, saved me from a security vulnerability in another 😅
Turning it off actually doesnt prevent the bug from working just make sure that your windows is up to date
@@howelon3099 7:44 So you interpreted "Systems are not affected if IPv6 is disabled on the target machine." to mean "Systems *are* affected even if IPv6 is disabled on the target machine." or am I missing something...
@@erikb4407 Well when I read the original writeup it said even if ipv6 is disabled the packets bypass the firewall anyways and will execute the said packets/code. Maybe this is referring to something else?
@@howelon3099 If you look at the original writeup on the microsoft website for this specific CVE, it says under *Mitigations* _"Systems are not affected if IPv6 is disabled on the target machine."_
Fun fact: There are still some computers that are running code written in COBOL.
Be careful what you say nobody does
The IRS does.
Fun fact: Another language in the “BOL” tradition - SNOBOL4 and SNOBOL5 (Oregon) has ancient syntax but awesome feature set for text data extraction and parsing, and is very much useful today. It may have COBOL vibes but wowzers is it miles better than trying to use regexes to extract data from non-regular-language input (CrowdStrike cough cough).
@@absurdengineering I just looked up SNOBOL. I knew of its existence but not the nature of the language.
@kensmith5694 there's a couple of banks near me offering damm good money for students to do COBOL, apparently saying their last few programmers are in their 60's and 70's(!), and have returned to work after retiring some years ago. They paid for eye surgery for one lol 😆
Oh yea, if you want a idea how dire their situation is, heck a cold winter could finish off their COBOL team 😬 the local Unis allow them to come it at fresher week and say to the Comp Sci students can you see yourself doing this? There's a paid 'apprenticeship' right this way if you do.... but every week that you learn more about new stuff you get further away from where we need you to be, so come now
No other companies get that opportunity
Me who always disables IPV6 because the long weird address is annnoying 😎
mfw 127.0.0.1 instead of ::1 (the latter is longer and more annoying)
I always remove (with NTLite) or disable everything that's not really useful. One of them being ipv6.
I know it isn't really relevant to to the discussion at hand, but saying IPv6 has "billions and billions of addresses" (9:48) is just a *crazy* understatement of how many addresses IPv6 has. It's IPv4 that has "billions AND billions" - about 4.3 billion, in fact - while IPv6 is more like "billions OF billions… OF BILLIONS… of addresses *for each IPv4 address*". If you assigned an entire IPv4 worth of addresses, to every human who has ever lived, once a second, it would take about 21 BILLION YEARS (or about time and a half the current age of the universe) to exhaust IPv6. That is a BIG address space!
Heard him say "noone uses edge" thats all I need to know he hasnt a clue about enterprise.
Control systems use Microsoft Edge in IE mode.
Plenty of things use it in the enterprise space… “we either have to upgrade the LOB system and pay a ton of cash… or set GPO to automatically open these in IE Mode.”
Interesting fact: MS at some point took the TCP/IP stack from OpenBSD because they lost knowledge of their own sourcecode. Yet they still fucked up something robust anyway.
There is also a story that they asked the Samba project to help them with their SMB protocol code because they also lost the knowledge. They refused because MS wasn't willing tho share information in the past.
correction (5:10): the OSI model is a reference model and not actually used in practice. the TCP/IP model is used in practice, though OSI is taught as it's a good entry point into networking.
2024: The year of IT crazyness - vulnerabilities, outages, everything
*What a shame that companies never have to take responsibility for grossly negligent behaviour. You know: router manufacturers who set the admin password to ‘admin’ because they think it's better than ‘1234’. *Such a law would be great, because then Microsoft would have to pay the customers, because M$ collects even critical error messages hundreds of thousands of times - and ignores them.*
10:21 I respectfully disagree, every reputable brand router will have the same defualt deny rule for IPv6 as they have on IPv4 in the firewall config.
The problem is that the words "reputable" and "router" usually do not belong in the same sentence
@@kneesnap1041 Yeah sure, lets nit-pick about semantics while it is clear i simplified my point so normies can understand it......
@@jagdtigger perhaps my point was missed, I was hoping to point out that users often do not get a choice what router they can use, I sure don't. I have 2 ISPs in my area, and one is DSL and would go out on an hourly basis, and when it did work it had less than 1MBPS download.
So, I've realistically got only one option for my ISP. They refuse to service any router which isn't theirs, and their routers are extremely locked down. I don't have an option
@@kneesnap1041 You can always hook up yours after the ISP junk.....
Pv6 security is more important than I thought! This bug sounds wild - gotta go patch Windows now. Keep up the great vids!
@@Tenetri it is, also take a look at the android security bulletin, yeah, it's udp in general, buuuuut, probably easier to exploit with ipv6, there was an unauthenticated, remote code execution in Android's network stack, too
plot twist: you're not on ipv6, just like most of the planet....
Can't believe that there are still people who don't use an adblocker lol
especially someone who is allegedly so computer literate
@@rowbart3095it's probably on purpose to support creators or websites
@@Vitis-n2v Or rather, it's because Ed is actually in a Windows VM to avoid getting his real fingerprinted get identified so he can protect his privacy.
Could it be that he was running a Windows VM for privacy reasons? *_Resisting_* fingerprinting is its own way to getting fingerprinted, LOL.
I don't either. I'd rather have my data be stolen by microsoft, google, and other large companies than some unknown browser extension. I don't have ANY browser extension at all. I used to have quite a few and a well-known one in them got hacked one day and I believe it stole my credentials from sites. So I had to change my credentials and reset my computer. Chrome extensions can't really be trusted. The Chrome web store, most obviously, doesn't work like the google play store. Nothing is reviewed on there and there are no constraints over what the extension can access, obviously because most extensions need to access site data such as dark mode readers, and ad blockers, for example.
LLL: "No one uses Edge in IE mode."
The comments section: "You just activated my trap card!"
Large companies: "Guess I'll die"
Banks: "First time?"
Me: *grab popcorn*
"Nobody uses Edge or Edge in IE mode" I think Ed was speaking to us, viewers.
I used to work for a company that was using IBM's SAP HR platform which required all the computers to be versions of windows that still supported full IE (so it was Windows 7 across the board), not to mention it had an antique Java backend
Crowdstrike: The "Patch Tuesday" is not even close to "Stranded Friday."
"Crowdstrike: The 'Patch Tuesday' is not even close to 'Stranded Friday.'" - I can't say I agree with that. I would much rather have my computer crash and refuse to boot than have a malicious actor take control of it remotely, especially if they can do so without any user interaction.
1:40 I can't speak for everyone, but there are some systems I have worked with that still require the compatibility mode for their web app to function, and this is in Health Care, although it may not be many, the impact that could have on patient privacy needs to be taken into consideration
1:40 "no one uses Edge"
I would like to point out -- for all it's flaws... *MS* does a *FANTASTIC* job with the *READ ALOUD* function it is TOP TIER ! ! !
yep, use that too, to check on my own documents. You can read across missing words, but hearing it read aloud you spot all the things the spelling checker misses.
@@Nerd3927 Hmmmmmm... I need to check this out
The Edge tab management is the best. I wish Firefox could do that.
I still haven't enabled ipv6 yet... not even sure if my ISP supports it. But still, it's amazing to see a vuln of this level these days.
Likewise. Other than networking that is invisible to us end users (cellular data), I don't actually know a single person or company that I work with, that is using IPv6. I know that's not how things are everywhere, but like... _both_ times in a couple decades of being in IT that someone has asked for support with IPv6, I've had to go back .. again .. and learn it all .. again .. because I never ever have to use it for anything.
Part of me is curious whether the sluggish adoption is inevitable (if you have something that works, why bother?), or if it's just because IPv6 is a convoluted mess of a stack that changed so much more than it needed to, and the lack of uptake is more because no network engineer wants to deal with it if they don't absolutely have to.
This is a huge deal. Thank you for this. I was hoping to catch you at DEFCON but hopefully next year!
Somebody found the cia's backdoor & thry had to cover their asses
If it were that easy they wouldn't be the CIA
@@originzz one of their access paths likely Waa discovered.
Let's not forget that your:
CPU
Gpu
Bios
Cables
TV
Phone
Entire life is backdoored. There is no privacy, soon we will see covid & 1940s esque neighbours snitching on neighbours and anyone they can in order to win favour with big brother.
Dangerous times ahead
I always have ipv6 disabled by default. There's a lot of privacy and security concerns about being directly out with an unique address.
firewalls exists for that. and NAT for IPv4 is a hack and was never meant for security.
@@RoddyDev It was not, but it's a by product of the workaround.
IPv6 also has an implementation of private-enhanced addresses; whereby your OS can use unique, randomly generated addresses for different sessions.
Unrelated but, adblockers are your best friends
Plenty of people use Edge. And even those who don't, still have times where they use edge, because windows continues defaulting links into Edge regardless of your chosen browser. And as others have said, there are many corporates that still rely on legacy IE mode for Edge. Saying "noone uses Y" is weird in a world where Southwest Airlines was able to escape the Crowdstrike issue solely because their systems are all Windows 3.1 or 95 and where banks are still running Fortran-based systems.
The figures I've seen say that Edge has 5% of the browser share. It simply isn't true that "nobody uses it".
Not just Edge, but Edge in IE mode. That means it is really running Internet Explorer with an Edge wrapper.
@@trail.blazer I doubted that would be true and that it would probably just emulate IE like changing the user agent header and a bunch of other compatibility settings but you're actually right it ships with the "Trident MSHTML" browser engine that was first released in 1997, and apparently that means a bunch of new web standards totally wont work. Microsoft is wack. I do not envy anyone who has to maintain software made for IE mode, must be a pain in the ass.
@@BlueBetaPro Is it really Microsoft that is wack? The reason Microsoft is providing it is that there are ancient pieces of software only compatible with it. So it’s the enterprises using such software that are ‘wack’, if anything.
@@abcdqwerty3562 I know it's not wack to provide the backwards compatibility in the first place but it's the way that they went about it from a technical perspective that sounds wack. From a web development perspective it's really incompatible with modern standards despite being in a modern browser, and from a software development perspective it's lazy to include something that I assume is quite a large binary/library into the application just to provide a little bit of backwards compatibility.
The number of users is inflated as Microsoft force edge to launch by overriding default settings
Plus Windows 11 silently uses edge to run user-implied search requests
"Systems are not affected if IPv6 is disabled on the target machine."
Oh, so basically every Windows machine I've had to touch is already unaffected. IPv6 is one of the first things I disable on any machine and I have never needed it in local network environment.
Hello, I'm just here to flex on most people here and say that I'm using Linux even though no one asked me.
Arch Linux user confirmed.
Plot twist they actually use windows 11 jk
I use Arch, btw.
Does using a Mac count? Nobody asked me either. I'll go back to my over paid walled garden... Sorry.
Surely linux have 0 vulnerabilities
This reminds me if the issue back in the day, with Windows XP SP1 called "Raw Sockets". This was a vulnerability that allowed attacker to attack a system remotely, outside of the standard TCP/IP protocol and allowed attackers to be able to manipulate both the Transport and IP Layers. It was kind of a big deal back then and a major reason why, Microsoft implemented a firewall in Windows XP SP2.
Love your security technical reviews !!❤
I think it would also be cool if you would do this as a series about Snowdens leaks
Love your channel, I am fairly technical due to my career and interests in computers and so I enjoy how you recap stuff, explain stuff but also don’t go so far as sucking eggs. Subscribed!
Instant subscription. Keep up your awesome work
2:12 I'm curious why you are allowing ads?
So many comments about Edge & IE when there's a CVSS 9.8 RCE in TCP/IP.
Corporate machines will get patched pretty quick, the concern will be those "unpatchable" devices, since we need to assume this bug has existed in the codebase of older OS, IPv6 is fully routabble, edge security may not be blocking the affected traffic, and patch reversing is a whole thing for motivated attackers & curious minds.
Correction regarding the IPv6 reach-ability topic. The true protection we get from NAT is the statefulness capability that it forced on dinky home routers. that same statefulness also protects IPv6 hosts, regardless of whether they have an internet routeable address or not. If the connection didnt initiate from my host, it doesnt matter that you can guess my IP. if it _did_ initiate from my host NAT won't protect me from those dodgy packets.
This particular vuln would be most effective in places where a host is not behind a firewall or where the malicious actor is already behind the firewall. roaming wifi, some cellular networks, weak govt agency networks, that sort of thing
in other words: how would these "carefully crafted" malicious ipv6 packets even reach my pc if adsl modem/router has all ports closed? and pc has firewall.
in that case i have to click something, somewhere...which is same as openiong suspicious mail attachments....
so....not really 9.8 of 10 vulnerability with all those factors.
and...well....i'm not on ipv6 anyway.....i hear half the germans are....hehe.....
@@ivok9846 IMO it's still a 9.8. I don't think CVEs should assume anything about local networks when assessing risks. But for the rest of us, its an important reminder that stateful firewalls are useful, IPv6 does not equal direct internet access and maybe stay away from MS Windows.
That assumes the dinky router in question even bothers to run a firewall on IPv6.
@@techgeeknzl are you on ipv6?
NAT can be punched through if you spoof the packet so that it matches one of the opened connections, both for ipv4 and 6.
So, in other words, to take control of a Windows system which has IPv6 enabled, an attacker simply needs to know the IPv6 address of a target machine and send a specially-formed packet (or series of packets) to it. The saddest part of this is not that this vulnerability exists, but rather that it's not surprising. Microsoft (and all other companies) needs to either fire all of its programmers for negligence or stop releasing software until they patch all of the existing security vulnerabilities and audit the software to find all vulnerabilities that are currently unknown (and fix them, too). It's infuriating that virtually nobody who writes software thinks of security as a priority. Security should be the top priority, far ahead of performance and "how quickly can we get this product released".
Hey, Low level learning, just wanted to inform you that, on your academy website, the original price in the price discount for lifetime access is incorrect (or at least, it states that the normal price is 197 and the new price is 319, which would certainly push me to wait till September 2nd ;p)
Ugh thank you
The problem is that hackers use these patches to see what Microsoft is patching and then reverse engineer and/or start investigating the code that is being patched and discover how to use the exploit. I give it a few days before the IPv6 TCP/IP stack *is* being used to exploit systems in the wild. Patch or disable IPv6 on your NIC interfaces NOW!
As an IPv6 stan this saddens me! Knee jerk reaction will be to turn off IPv6 and never turn it back on.
IPv6 does have a private address range. Hopefully router manufacturer default will be to use these addresses and not a public addresses for your LAN
Link-Local addresses are a god send when a remote device gets replaced with a spare and you get the call that it's not working.
No, please. Do not use IPv6 private ranges. They are there for a legacy reason. Your router should use DHCP-PD to ask for a range from your ISP. Then your router will announce that range via SLAAC to the internal networks. IPv6 is designed to not need DHCP server.
The concept of public v private is a characteristic of your firewall. Your internal networking being publicly routeable doesn't mean they are publicly accessible.
@@Lue30499 I will never, ever understand this ridiculous notion.
"Let's not have private addresses anymore! YAY! Everyone is directly on the Internet!" and it's equally daft companion ... "NAT is not security!"
Except _it literally is._ If you're not reachable directly via the Internet, you are not vulnerable to exploits that attack you ... directly ... from the Internet. The route just does not exist.
"So use a firewall that blocks incoming traffic."
And that's fine. _If you do it._ With IPv4, and the near-ubiquitous usage of NAT imposed by the IP shortage, there was basically no choice. Everyone was behind a one-way filter by a matter of course. With IPv6 ... eh. It's optional. The problem with that, of course, is that.... _it's optional_ ... and therefore, it _will_ be turned off. (Or just never turned on.) More to the point, you won't necessarily know, because it works either way.
IPv6 has gazillions of IPs. There's no need to conserve. But that doesn't mean NAT isn't still a really good *layer* to have in the security stack. Removing it from conventional network design was the dumbest freakin thing about IPv6. And there are a lot of dumb things about IPv6.
How can you be an "IPv6 stan" and advocate for IPV6 NAT?
@@Lue30499what meaningful difference does being publicly routable make if it doesn't allow packets the user may not have expected or prepared for to reach the device?
@@lassipulkkinen273 I'd take everything said by someone who's username contains "troll" with a grain of salt.
I’ve never heard IPv6 explained so succinctly.👏👏👏
Can we please have a break from worldwide critical IT messups 😩😩😭 I’m gonna cry
I thicked ever insecurity box:
- A stupidly large number of open ports.
- Having SMB (v1) enabled all the time.
- Turning off antivirus always.
- Questionable custom Firewall rules.
Turns out randomly choosing to disable IPv6 would actually save my ass.
I still use win7, I don’t get to participate in patch Tuesday anymore
When he stated that the extreme vulnerability is related to ipv6 i laughed as i always disablr that on every machine i get :)
pause for "7 days" saves me again
Many companies use Edge on their managed operating environments (MOE) for Windows Clients and indeed Servers, and in fact we actively have been removing Chrome due to all of the security vulnerabilities that is was getting compared to Edge (issues not related to the common Chromium compoent). When you have to do regular patching cycles and off-cycle urgent securty patching for many different software tools (Microsoft, Google, Adobe etc), it makes sense to consolidate the number of update points if you can, without impacting the users' ability to work effectively. It's more efficient and easier to maintain. No real need for Chrome in a Microsoft Azure environment, for example, unless you have some wierd software that is somehow dependent on Chrome (highly unlikely situation since Edge move to Chromium though). I am not saying that that Edge is better than Chrome al the time, but it is better in those type of corporate situations. Obviously IE Mode is just asking for trouble, but this can be locked down using group policy.
Except unless your Grandma is somehow still managing to use XP or Win7, she IS PATCHING, whether she bloody likes it or not, pretty much every time she turns on her computer.
@@AttilaAsztalos ?
@@burtburtist watch from 3:54 onwards
@@SreenikethanI i mean how is someone just using whatever came with their pc patching, the os stopped getting patches, i dont imagine them manually going through the kb catalogue, just disabling update notifications
@@burtburtist Because Windows automatically updates (and forces restarts), and you cannot override this without knowing a decent bit about computers.
The only way a Windows 10+ computer wouldn't be updating is if it isn't online. But then it isn't vulnerable.
@@ZipplyZane thanks for the actual answer, i didnt consider it working as intended i guess, the windows 7 failing to update bug seems pretty common, and im pretty sure 7 was no longer getting updates anyway, forgot if the update to 8 then 10 or whatever was truly automatic but its been a hot minute since ive run 7 myself.
one thing that really gets me.
Why is consumer, programer, and buisness service windows the same windows?
Seems like Microsoft is inviting problems. Its one thing to have cross compatability, its another to try and make the same product for all of them
did anyone figure out where the bug was? @7:50
Unless I'm mistaken, a webserver can force edge into IE compatibility mode with http headers. So if a user goes to such a site while using Edge and clicks a malicious link, bad things can happen.
It depends, there's a setting to disallow that.
Edge is basically mandatory for the large government agency I work for. I think usage is somewhat higher than you would expect.
Another Windows vulnerability? I'm shocked, SHOCKED!
Microsoft having severe RCE vulnerabilities ? And the sky is blue
Edge is Also a background process windows uses to operate.
so you don't have to use there browser to lose everything.
Well shows how little IPv6 is used even after 25 Years😜
Any day now!
2025 will be the year of IPv6!!!
NAT cancel IPv6
Doing a ping-sweep on IPv6 is a little like the SETI mission statement. There's gotta be somebody out there somewhere.... right?
I guess bounds-checking code in the IPv6 stack is down there on the priority list, when having malformed packets hurled randomly at your machine from the ether would be an event so novel that it might inspire the plot of a science fiction movie.
@@clashcon11 "NAT cancel IPv6" This. The problem it was designed to solve no longer exists.
Love your content man.
I love that everyone is talking about "Edge in IE mode"
well a quick google says you get roughly 2.5 pow(21) IP addresses per grain of sand in sahara, still way way to big to visualize.
given that 7506320 grains of sand per sqf, and average depth of sand is 200feet.
Some large numbers like this, what is understandable is that we no longer need NAT :D
HAH, I've had IPV6 disabled since day1.
If you want to pick up a necessary skill (that should be in first semester but wasn't truly mentioned at my uni except in electronics engineering): "Practical UML Statecharts in C/C++ - Event-Driven Programming for Embedded System". Nothing complex or trendy, just a great book explaining the skills one should have. Pricey though, it's that luxury CRC company (and suddenly you understand why Godot is doing what it does in the way it does it)
"No one uses Edge." Well, that's not true. They based it on Chromium and a lot of people no longer have any resistance to the MS pressure to use it, so use of Edge is increasing.
"No one uses Edge in IE mode." Oh, bless your heart. You've never worked in the DoD. I'm sure you'll feel really safe learning that a LOT of DoD systems are outdated and can only be accessed using IE or Edge in IE mode.
When ,"I have your ip" means something haha
appreciate you spreading the word.
That fundamental difference between IPv4 and IPv6 you mentioned, about routing and NAT, is a really good reason to disable IPv6 on every device unless it's really necessary. IPv6 was introduced to solve the problem of running out of addresses, but everything still has an IPv4 address, right? So we haven't actually "run out" yet? In other words, NAT solved the problem. Are there any IPv6 only networks i.e. where IPv4 is unsupported and IPv6 is therefore the only option? If IPv6 is really necessary, there must exist IPv6 only networks, otherwise logic says it's not necessary.
Good ol' Macroshit Wangblows. I really should switch to Lunix at some point.
"Macroshit Wangblows" Thank you. you made my day. xD
"So you and i can use our PC in a safer way"
*laughs in Linux*
A lot of people hated NAT and welcomed IPv6 back when it was first introduced. I was still at high school or uni back then.
Can't believe NAT nowadays are desired for the security side-effects. Wish Internet were less hostile like the old days.
Honestly it's really weird how he seemed to imply a lack of firewalling for IPv6 would be the user's fault. Obviously that's a terrible default -- no NAT != no firewall. I'm sure there are some sloppy routers out there that do that, but I should also add my own anecdote of a router whose IPv6 firewalling was so effective you couldn't disable it at all; turning of the firewall only applied to IPv4. Also very annoying, but at least it's secure.
Same as a lot of other comments. Our company force defaults us to Edge every reboot, some of our apps need Edge to load. Ughhhh
Gone are the days of Woz's Apple II. 😓 I miss the 80's.
so what is the vulnerability. you just said that its ipv6 because there is no nat needed.
Shiiiish! Sir, great job! Very interesting to listen!
Great coverage of this week’s patch.
Also, Ed seems to be a little bit out of sync with audio 😅
IPV6 considered harmful.
Seriously though how the hell am I first hearing of this here? Thanks for the info, I updated my machine.
IPv6 Windows Implementation considered harmful more like
You should make a video on the killchain methodology. You have a great way of drawing parallels
Me waiting for the day when thumbnail says "Playing this video can hack your computer"
@5:28 I'd like to comment that TCP/IP is older than the OSI model, and as such, the OSI model is at best not super helpful and at worst completely misleading. Layer 1, 2 and 3 still kind of fit but it doesn't really match where TCP or IP sits in all this.
Yeah, I wish they'd kill the OSI model. Layers 1-4 are useful, but 5-7 are OSI specific. They *sometimes* align with certain things, but they're not formalized into the network stack like OSI required.
The OSI network stack is dead. We've robbed its corpse of the few good things it held. Bury the model with it and move on.
@@jeffspaulding9834 Yes please! If there are protocols or environments that fit the entire model, I've never seen it and I've never even heard of it. I'm from a time where I've still seen IPX/SPX used in medium sized organizations, or where token ring had just been phased out. I'm happy with TCP and UDP over IPv4 and honestly still confused about IPv6 so as far as I understand the OSI model is not helping anyone except for (for me) the first 3 layers.
@@Gersberms OSI protocols definitely existed and were used mostly in Europe. But the vendor support just wasn't there. TCP/IP was available on UNIX, had commercial network hardware available (notably, Cisco), had lots of software that could use it, and was in active use in the US. The various X.25 efforts in Europe just couldn't catch up, and eventually all the OSI-based networks switched to IP or shut down. The Wikipedia article "Protocol Wars" has a good summary of the timeline.
The model's useful for training people to think about the various layers in a protocol stack, but the requirement that all seven layers be formalized just doesn't line up with reality. I regularly work with protocols that push priority data all the way down to Layer-2, for instance (Profinet, Ethernet/IP) and the rigid OSI stack requirements aren't flexible enough for that.
I think what he meant was: "Nobody that we care about uses Edge in IE mode."
To be fair, the two bad things to take away from this video is:
1. IPv6 forgoes a major advantage of public vs privet networks. This is honestly a bigger security issue. Why were this logical easily defended boarder considered unnecessary?
2. TCP/IP on Windows for IPv6 is currently insecure.
Ie, two compounding issues that honestly makes the whole situation worse for most people.
But at least a lot of people don't have an IPv6 address to start with, since a lot of ISPs haven't yet adopted such, despite it soon being 3 decades since its inception.
Can you explain the new AMD CPU buck in detail. It sounds super complicated, but it also sound like you are in trouble anyway on a machine if you can be effected by this buck.
But a vulnerability that stays on your pc even after you reinstall your OS just sounds bad 🙁.
But I think it could be interesting to take a closer look.
Man ngl I think I got hit by one of those, and I still have the motherboard (an amd b450) but have not quite been able to figure out how to diagnose the thing without infecting more USB drives with whatever was on it. So as far as I got, was basically that it has the capability to propagate via USB drives without any user interaction (just by plugging it into the powered on motherboard). Drives used in my testing/troubleshooting/analysis lost all ability to be reformatted too. Idk if that's from the same exploit or vuln you mentioned but it sounds like what I had happen.
@@apIthletIcc The USB issue is something else and I don't know how to test if you have this issue.
The AMD CPU one that I am talking about, I think they call that Sinkclose vulnerability. 🤷♂But they are similar, just for CPU's.
Windows has a major problem - it's existence.
My ISP does not even provide me with IPv6
Same here. I use a tunnel from Hurricane Electric, which works great except that Google makes you use a captcha because it's flagged HE's entire network.
You can get a /48 and several /64s for free.
@1:50 actually we use edge in ie mode to bypass paywalls on some websites @9:20 isn't that CGN CGNAT LSN?
I am using edge exclusively at work now.
The IT download group policy for some reason hasn't spread to edge yet while they have it on Chrome.
Which is one the reasons I switched to edge. There are other out of the box user intuitive features on edge. But yeah, all in all, I have been using edge for a while now at work.
Great content 👌👏
Darn... If the problem is only because of NAT security mentality, that would be a funny reason for this exploit to exist.
Thanks for the video!
A few points:
The OSI model doesn't properly map to TCP/IP it has more layers and for instance IP doesn't have a dedicated data link layer as ethernet provides data link and local networking while IP provides networking between ethernet networks. There are actually multiple TCP/IP models that have been created over the years they are all generally better than the OSI model.
While IPv6 allows for people to operate without NAT my ISP doesn't support it so I'm not aware of what a normal configuration is. Are ISPs actually giving out routers that allocate globally routeable addresses to every network device without a default deny firewall in place? if that is the case this CVE is the tip of a very insane iceberg .
I think the biggest problem is for large corporate networks that use windows. Someone falls for a phishing attack and runs an executable they shouldn't and then every computer in the network can be hosed without the need to even escalate to admin rights (assuming the attack doesn't require raw packets which would require admin rights to send in which case you just need local admin on a single device and a priv esc and the whole network is pwned.)