On Sun, 28 Aug 2016 14:35:01 +0200 Frederic Marchal <frederic.marc...@wowtechnology.com> wrote: > The requirements are: > > * TCP connection, > * long-lived, > * unencrypted, > * long silences. > > I'll add that the protocol must allow the server to initiate data > sending with only one packet (such as news pushed from the server > to the client). Any protocol relying on an exchange is ruled out as > the attacker won't see the victim's response. > > The authors found www.usatoday.com meets the requirements. > > Even if the requirements are met, the attack fails if the client is > protected by a stateful firewall (either on a NAT router, modem or > computer).
So essentially no smartphones are protected, and only a fraction of the world's end users. > The attacker needs a direct connection to an open port > to probe the target system. Yup. Not a big deal if you're directly targeting someone. It isn't like there's any shortage of situations where this comes up. Before the Snowden revelations, I used to presume that people claiming that a hole like this wasn't critical to patch were simply not thinking clearly. Now I wonder every time if they're shills for intelligence agencies. > The attack is also useless if the attacker can't spoof the source > IP address. Which means most of the world's machines directly connected to the internet, see the stats from CAIDA and others on how much ingress filtering is happening (not much). > Routers in corporate environments usually block this by > design or due to VLAN. Yes, but you need to be in a position to spoof from somewhere, not in a position to spoof from everywhere. Your mentioning of corporate networks that control spoofing is uninteresting, since you can spoof from most direct connections to the internet. Again, as it stands right now, loads of users of random newspaper and other web sites are vulnerable to injection attacks because of this. There are people working under horrid conditions for the freedom of their countries in all sorts of places who are routinely targeted by the state agencies of dictatorships and other miscreants who would like to inject malware onto their phones and personal computers. This is not a theoretical problem. Again, read an article like: https://citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/ to understand what the modern security situation is like. You are arguing that it is utterly unimportant that injection attacks against such people are fairly straightforward if they go to totally legitimate web sites hosted on servers running Debian. Real people die this way nowadays, or end up being tortured indefinitely in third world hellholes because their equipment gets compromised by FinFisher, the Hacking Group, and other suppliers of malware to third world dictatorships. This sort of thing cannot be ignored by an operating system supplier. One has a social responsibility to fix holes like this. > I bet the authors demonstrated the exploit in a very hacker > friendly environment by disabling the target computer firewall and > using a switch to connect the attacker and the victim on the same > LAN. No, the demonstrated it on the ordinary WiFi at a conference without modification. > Now, I wonder if many sites or protocols do meet the requirements. > > Except for the above requirements, I can't see many cases where > legitimate packets injection is possible without visible side > effects giving the attack away. The "above requirements" are met by tens of thousands of totally legitimate web sites that one might choose to connect to that are running Linux kernels of appropriate vintage. Again, in spite of a public demonstration of this, you still insist it isn't feasible? And again, leaving such holes unpatched puts people at risk -- and at an utterly unnecessary risk. You claim this isn't easily feasible, but it has been demoed. It is known possible. The hole needs to be fixed. Perry -- Perry E. Metzger pe...@piermont.com
