Apple Shuts Down IPv6 Security Hole

By Lisa Vaas  |  Posted 2007-06-21 Print this article Print

Apple updates Mac OS X to plug a security hole that could potentially enable denial-of-service attacks.

Apple has slammed the door shut on denial-of-service attacks and a security bypass that Type 0 routing headers in IPv6 let in. The company on June 20 put out an update, Mac OS X 10.4.10, that addresses the problem by disabling support for the headers. This vulnerability has been left wide open in IPv6 even though it was well-known and shut down in IPv4; by default, all routing engines now turn it off.
This particular type of packet header can be used to crazily bounce network packets back and forth between hops on their route, clogging up bandwidth and potentially causing a DoS.
Back in April, two researchers, EADS Corporate Research Center research engineers Philippe Biondi and Arnaud Ebalard, showed that when you can specify where your nodes route packets, you can create a loop—for example, from hop A to hop B to hop A to hop B—that exponentially jacks up Internet traffic, thus causing a DDoS (distributed DoS). The ability of users to route their own packets—a procedure optimized automatically in todays IPv4 Internet—allows not only DDoS attacks, but also the ability to bypass security. Researchers say the vulnerability is easy to fix with RH-sensitive filters. At the time of the CanSecWest demonstration, Bob Hinden, chairman of the IPv6 working group at Internet Engineering Task Force, told eWEEK that the group wasnt seeing this "ingenious" exploit in the wild. Still, nobody was losing time in fixing it, he said. "The implementer community is rapidly enabling fixes, and the standards body is rapidly trying to change it so it cant be used in a bad way," Hinden said at the time. Is the Macintosh computer platform becoming a more inviting target for hacker attacks? Click here to find out. Apple said in its security advisory that the issue doesnt affect systems prior to Mac OS X 10.4. The update is available for Mac OS X 10.4 through Mac OS X 10.4.9 and Mac OS X Server 10.4 through Mac OS X Server 10.4.9. It can be obtained from Mac OS Xs Software Update pane under System Preferences or via Apples Software Downloads site. Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.
Lisa Vaas is News Editor/Operations for and also serves as editor of the Database topic center. Since 1995, she has also been a Webcast news show anchorperson and a reporter covering the IT industry. She has focused on customer relationship management technology, IT salaries and careers, effects of the H1-B visa on the technology workforce, wireless technology, security, and, most recently, databases and the technologies that touch upon them. Her articles have appeared in eWEEK's print edition, on, and in the startup IT magazine PC Connection. Prior to becoming a journalist, Vaas experienced an array of eye-opening careers, including driving a cab in Boston, photographing cranky babies in shopping malls, selling cameras, typography and computer training. She stopped a hair short of finishing an M.A. in English at the University of Massachusetts in Boston. She earned a B.S. in Communications from Emerson College. She runs two open-mic reading series in Boston and currently keeps bees in her home in Mashpee, Mass.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel