Black Hat 2007: Vista users urged to beware of IPv6

LAS VEGAS -- Vista users would be wise to turn off the Teredo IP tunneling system that is enabled by default in Microsoft's newest operating system, since attackers may be able to exploit it for phishing, pharming and other mischief. James Hoagland, principal security researcher for Symantec Corp., issued that warning Thursday during a presentation at the Black Hat 2007 conference.

Hoagland -- along with fellow researchers Matt Conover, Tim Newsham and Ollie Whitehouse -- conducted an extensive analysis of Vista. They found that while Microsoft has significantly improved security in the latest version of Windows, new vulnerabilities were likely created in the process.

Special Black Hat coverage Check out more of SearchSecurity.com's special news coverage of Black Hat USA 2007.

Hoagland said the best example may be Vista's default enabling of Teredo. The software giant has embraced Teredo as a way to help users transition from IPv4, the long-standing protocol that is quickly running short on IP address space, to IPv6, a more advanced protocol that vastly increases the number of IP addresses available to networked devices.

He said Microsoft loves IPv6 because, among other things, it eases the process of setting up peer-to-peer (P2P) gaming programs. But on the down side, IPv6 can also double Vista's possible attack surface -- at least until IPv4 is eliminated. Furthermore, many network security controls may not be ready for IPv6.

Hoagland noted that the Cupertino, Calif.-based Symantec has already discovered one Teredo/IPv6-related flaw in Vista, which Microsoft patched in the MS07-038 security update released last month. According to the researchers, the Teredo interface in Vista was not properly handling certain network traffic, allowing remote attackers to bypass firewall-blocking rules and obtain sensitive information via crafted IPv6 traffic.

For more information Disabling IPv6 in Windows Vista -- Pros and cons: Disabling IPv6 in Windows Vista could prevent performance and security problems, but there are pros and cons. Five IPv6 security issues to consider Ask the Experts: Is a transition from IPv4 to IPv6 worth the effort? More resources on IPv6 security

"There are some serious security implications with Teredo," Hoagland said. "This includes the potential for unexpected host accessibility, phishing and pharming threats and possible peer address disclosure."

Attackers could also exploit Vista's implementation of Teredo to bypass such network security controls as firewalls and intrusion detection-prevention (IDS/IPS) systems. To correct this, Hoagland said security tools need to be reprogrammed so they are specifically aware of Teredo.

"Because it can be so difficult to inspect Teredo, a consensus has been reached [in the information security community] that Teredo should not be used in managed networks," Hoagland said.

To be fair, he said, there are some positives with Teredo. It requires a lot of packet-sanity checks, which can prevent a number of attacks. The program also includes some decent anti-spoofing mechanisms. But for Hoagland, that's not much of a silver lining.

"Disable Teredo and block it on the network," Hoagland instructed, "upgrade your security controls and beware of Teredo tunneling through your network."