FedEx Will Pay You $5 to Install Flash on Your Machine
We certainly hope that FedEx shows more concern over the safety of its drivers and pilots than it shows to customers wanting to order printing online.

FedEx is making you an offer you
iCub the Open Source Robot
It occurs to us that the iCub might be the perfect companion for an only child. Probably cheaper in the long run than a little brother or sister, and it can be turned off at night.

The Screening Room

Linux Action Show to End Eleven-Year Run at LFNW
Six more episodes before the popular Linux podcast, Linux Action Show, ends its nearly 11-year run in a live broadcast from LinuxFest Northwest.


Jupiter Broadcasting's long-running
No, Evil Hackers Aren't After You
Humankind has outgrown the need to have monsters hiding under our beds. Now we let them hide in our phones, computers and microwave ovens.

Roblimo's Hideaway

OMG! I think I see a giant camera lens on
Four Things a New Linux User Should Know
When you move from "that other operating system" to Linux, you're going to find that in most ways you'll be in familiar territory. However, that's not always the case. We sometimes do things a little differently
Should the U.S. Army Have Its Own Open Source License?
Should the U.S. armed forces begin releasing software under an OSI approved open source license rather than as public domain?

Roblimo's Hideaway

This question has generated many pixels'
GitHub CEO Chris Wanstrath on Open Source
Did you know that the software Stephen Hawking uses to speak is open source and that it's available on GitHub? Neither did we.

The Screening Room

At the Computer History museum, GitHub CEO Chris
December 12th, 2016

Users Told Disconnect Certain Netgear Routers

Some popular Netgear routers contain a security flaw that is evidently easy to exploit and can make users vulnerable to a CSRF attack.

security vulnerability

Breaking News

About this time I’m wondering if I’d even purchase a Netgear router.

You’d think that with all of the fuss recently about the insecure Internet of things, especially when it comes to routers, that any router maker would be on top of it and patching vulnerabilities as soon as they’re discovered.

Evidently not, as far as Netgear is concerned.

On Friday, a researcher with the online handle Acew0rm published a vulnerability that the U.S. CERT Coordination Center (CERT/CC) at Carnegie Mellon University has rated as “critical,” giving it a score of 9.3 out of 10 using the Common Vulnerability Scoring System. Over the weekend, Netgear confirmed the vulnerability, saying that its R7000, R6400 and R8000 routers were possibly vulnerable. However, PCWorld has reported that another researcher has looked into the matter and has indicated that other Netgear Nighthawk routers are vulnerable, including models R7000, R6400 and R8000.

So why did Acew0rm publish the exploit? It’s a familiar story. It appears that he notified Netgear of the vulnerability in August but never heard back from them.

Again, you’d think that a company marketing routers would want to patch their routers sooner rather than later given recent IoT news, wouldn’t you? I ask you, is this any way to run a router company?

The vulnerability makes the router vulnerable to a Cross-Site Request Forgery (CSRF) attack, which allows an attacker to hijack a user’s browser when visiting a target website. Although the folks at CERT/CC are recommending that users remove the routers from service until Netgear issues a patch, Lucian Constantin has published some possible workarounds on PCWorld for users who aren’t able to do this.

Over at Computerworld, Michael Horowitz opines that those considering buying a Netgear router “can use this issue to gauge how the company deals with security.” No thanks. I’ve already made my evaluation. Netgear made the decision to sit on top of this vulnerability for four months, evidently doing nothing about it. They’re only acting on this now because of press reports and because an exploit has been made public, meaning the black hats are ready to pounce.

Meanwhile, we have to get a handle on the Internet of insecure things now. Not later.

The following two tabs change content below.
Christine Hall has been a journalist since 1971. In 2001, she began writing a weekly consumer computer column and started covering Linux and FOSS in 2002 after making the switch to GNU/Linux. Follow her on Twitter: @BrideOfLinux

4 comments to Users Told Disconnect Certain Netgear Routers

  • UncleEd

    Having the feeling of dodging a bullet, that neither my Netgear DSL Modem/Router nor my Netgear wifi router is one of the listed models. Then the other side of me wonders if I really did dodge a bullet or if the news just isn’t out yet. For better or worse, tomorrow is a new day with new opportunities for “stuff,” of course.

  • Mike

    Closed source code is unfit for any purpose involving security, i.e. unfit for any purpose at all.

  • Y\X

    YO should know already …

    in order to be popular, or in another words

    so that people would purchase some products

    you must be …

  • tracyanne

    Apparently Netgear are now releasing patches to fix this problem. I imagine they are worried about a drop in sales, and are only now doing this as a PR exercise to stem that drop.