> The issue can be mitigated by disabling the WebUI when not on a trusted network (like at home) or behind a NAT device (i.e. not directly reachable over the Internet).
I wonder, does it listen on ipv6 too? If so people may not even be aware that their computer is reachable.
I don't want to nitpick, but publicly addressable =/= publicly reachable. All (probably, I'm sure there are examples of it being done wrong) home routers that support IPv^ will include at least a basic firewall as well.
> The issue can be mitigated by disabling the WebUI when not on a trusted network (like at home) or behind a NAT device (i.e. not directly reachable over the Internet)... but is not really a solution that will scale well across the user base.
Why? I was under the impression most home users will have a (shitty) wifi router separating the home network from the world. If you can breach this and/or run code on a machine inside the home LAN you are already done. I don't get what's the new threat here.
People increasingly use laptops as their primary computer. If they enable this feature to use on their home network, they could easily forget to disable it then they bring the computer with them to a more hostile environment. (But, on the other hand, isn't the Windows Firewall in Vista and newer designed to handle this, by having separate rules for "home", "work" and "public" networks?)
7 comments
[ 2.2 ms ] story [ 34.5 ms ] threadI wonder, does it listen on ipv6 too? If so people may not even be aware that their computer is reachable.
Why? I was under the impression most home users will have a (shitty) wifi router separating the home network from the world. If you can breach this and/or run code on a machine inside the home LAN you are already done. I don't get what's the new threat here.