7 comments

[ 2.2 ms ] story [ 34.5 ms ] thread
> The issue can be mitigated by disabling the WebUI when not on a trusted network (like at home) or behind a NAT device (i.e. not directly reachable over the Internet).

I wonder, does it listen on ipv6 too? If so people may not even be aware that their computer is reachable.

Which ISPs enable native IPv6 but ship a router with a permissive IPv6 firewall?
I don't want to nitpick, but publicly addressable =/= publicly reachable. All (probably, I'm sure there are examples of it being done wrong) home routers that support IPv^ will include at least a basic firewall as well.
> The issue can be mitigated by disabling the WebUI when not on a trusted network (like at home) or behind a NAT device (i.e. not directly reachable over the Internet)... but is not really a solution that will scale well across the user base.

Why? I was under the impression most home users will have a (shitty) wifi router separating the home network from the world. If you can breach this and/or run code on a machine inside the home LAN you are already done. I don't get what's the new threat here.

People increasingly use laptops as their primary computer. If they enable this feature to use on their home network, they could easily forget to disable it then they bring the computer with them to a more hostile environment. (But, on the other hand, isn't the Windows Firewall in Vista and newer designed to handle this, by having separate rules for "home", "work" and "public" networks?)
Doesn't this require the target's 13579 to be open? It's not really a port I have open so often