IPv6-handling flaw found in Windows 7

Researchers have found a flaw in the way Windows 7 handles IPv6, one of the key protocols underlying the internet, saying attackers could use the vulnerability to crash PCs.

The security firm Barracuda Labs said on Tuesday that someone would have to make a targeted denial-of-service attack to exploit the vulnerability, but exploitation could cause failure in a PC's network connectivity, applications and sound system.

Microsoft has acknowledged and reported the flaw, but has said it will not patch it in a security update, because exploiting the vulnerability requires local network access.

According to Barracuda Labs researcher Thomas Unterleitner, the vulnerability lies in the way Windows 7's remote procedure call (RPC) function handles malformed DHCPv6 requests — DHCP (Dynamic Host Configuration Protocol) being the automatic configuration protocol that lets servers allocate IP addresses to clients at start-up.

DHCPv6 is part of IPv6, the new version of the internet protocol that is being slowly rolled out. 128-bit IPv6 addressing can handle a vastly greater number of connected network devices than 32-bit IPv4, which was introduced in 1981 and is now running out of address space.

Intercept DHCPv6 traffic

"To exploit this vulnerability, an attacker would need to intercept DHCPv6 traffic," Unterleitner wrote. "Once a DHCPv6 request has been intercepted, the corresponding reply would have to be modified to contain the malformed Domain Search List option. On reception of this malformed packet, RPC on the remote machine would fail. Exploiting this vulnerability would cause the RPC service to fail, losing any RPC-based services, as well as the potential loss of some COM functions."

Unterleitner told ZDNet UK on Wednesday that a successful attack would "crash the RPC service from the Windows operating system, and without this service Windows 'collapses' slowly — no sound, no IP and so on".

Barracuda Labs confirmed the DHCPv6 vulnerability on both 32-bit and 64-bit versions of Windows 7 Ultimate with Service Pack 1, and said it was "very likely" that other versions of Windows 7, and possibly earlier versions of Windows, are also affected.

After the security researchers warned Microsoft of the flaw, the company replied in late July, saying it had replicated the vulnerability. However, Microsoft said that executing a man-in-the-middle attack or establishing a rogue DHCPv6 server to exploit the flaw would require local access, so the flaw would only be fixed in the next version of Windows.

Unterleitner said an incorrectly-configured or buggy Linux DHCP server could also trigger similar effects on the client PC, but the method described by Barracuda Labs is the easiest way for a "pinpoint denial-of-service" attack to compromise a client.

ZDNet UK has asked Microsoft for comment on the vulnerability, but had received none at the time of writing.