What Wi-Fi Security Problem? Windows is Already Patched

Posted on October 16, 2017 by Paul Thurrott in Windows with 25 Comments

What Wi-Fi Security Problem? Windows is Already Patched

You may have heard about a massive new Wi-Fi security vulnerability. But if you’re using Windows, you’re all set: Microsoft already issued a patch that fixes the flaw.

“We have released a security update to address this issue,” a Microsoft statement explains. “Customers who apply the update, or have automatic updates enabled, will be protected. We continue to encourage customers to turn on automatic updates to help ensure they are protected.”

One can safely assume that means “all supported versions of Windows,” and not just Windows 10. But the software giant says it will provide more details in a blog post later today. But I find it interesting that Microsoft already fixed this issue. It suggests they’ve known about it for some time.

Update: Microsoft has provided additional details.

“Microsoft released security updates on October 10, 2017 as part of Update Tuesday to resolve this vulnerability in all affected editions of Windows. Customers who have Windows Update enabled and who applied the latest security updates are protected automatically.”

Anyway, if you’ve not heard, a security researcher today disclosed a massive vulnerability in the WPA2 security protocol that is used to encrypt Wi-Fi traffic.

“The attack works against all modern protected Wi-Fi networks,” the researcher noted. “If your device supports Wi-Fi, it is most likely affected.” So. All of them, then.

By the way, if you’re an Android user too, Google promises a fix for this flaw “in the coming weeks.” This is important because the attack is apparently “exceptionally devastating against Linux and Android 6.0 or higher.”


Tagged with ,

Join the discussion!


Don't have a login but want to join the conversation? Become a Thurrott Premium or Basic User to participate

Comments (26)

26 responses to “What Wi-Fi Security Problem? Windows is Already Patched”

  1. LocalPCGuy

    What is the KB of "the update" that fixes the problem. It's not mentioned.

  2. Roger Ramjet

    Anyone see the irony in this? Google are the big bad security researchers that point fingers at, most specifically, Microsoft all of the time (one would think this seems more like competitive information releases rather than neutral "security research", but whatever).

    Just last week, they even went after Microsoft for patching supported Windows versions only, or for patching versions one after another, claiming this exposes unpatched versions to exploits and is bad, bad Microsoft.

    Now, a gigantic systemic security flaw in WiFi is revealed (known to all the companies before being put out in public), and Microsoft is ready on day 1, Google is promising some future date, not only that, on that future date, Google will first fix their own Pixel phones, then others later still. At least that is the promise. This is kinda Chutzpah, no?

  3. Bob Shutts

    Wow. Who's doing all the down voting here?

  4. peterh_oz

    Stop and listen to the tech media, and media in general, congratulating Microsoft & criticising Google & Apple for their patching speeds ... *crickets* #hypocrites

  5. skane2600

    Just another bit of evidence that the "many eyes" theory of open source is bunk.

    • Username

      In reply to skane2600:

      Of course if you bothered to read the linked article you’d know ”The weaknesses are in the Wi-Fi standard itself, and *not in individual products or implementations*. Therefore, any *correct* implementation of WPA2 is likely affected.

      Additionally, vast majority of de facto standards are open - that’s that allows them to become.. standard.

      Kudos to Paul for selective quoting.

  6. matsan

    Ubiquity was able to roll out new firmware for most of their access-points within hours so clearly this flaw must have been known for some time.

  7. timothyhuber

    Let's see how quickly other companies can respond. As I have have a fair bit of Google hardware (Android phones, Chromecast Audio, OnHub and Google Wifi, and Google Home) here's hoping they move fast.

  8. Oasis

    No Update for Windows 7 (yet).....

    Microsoft says it has already fixed the problem for customers running supported versions of Windows. “We have released a security update to address this issue,” says a Microsoft spokesperson in a statement to The Verge. “Customers who apply the update, or have automatic updates enabled, will be protected. We continue to encourage customers to turn on automatic updates to help ensure they are protected.” Microsoft says the Windows updates released on October 10th protect customers, and the company “withheld disclosure until other vendors could develop and release updates.” The Verge....

  9. Jester

    Worth noting that either the access point or device needs be patched and your OK.

    • MarkWibaux

      In reply to Jester:

      Not really, you need to do both (if you are running 802.11r on you SSID). You can mitigate the client issues by making AP changes but it's not a fix.

      Quoting from revolutionwifi blog

      There are 9 vulnerabilities that are client related and 1 that is AP / Infrastructure related. All are implementation issues, meaning software patching can fix them! Of the 9 CVE's related to clients, ALL can be mitigated with AP / Infrastructure updates as a workaround, but the infrastructure won't be able to determine if failure is from packet loss issues or attack. The long-term fix is definitely client software patching. The 1 CVE related to AP / Infrastructure is related to 802.11r Fast Transition - if you have it enabled you should patch ASAP. If not, no big deal. Many, many thanks go to Hemant Chaskar, Mojo Networks, and Pentester Academy!

  10. jrickel96

    And it'll take how long for an Android user to get a security fix? Will most of them ever get it until they buy a new phone? Pixel users will get it quickly. What if your phone is over two years old? Will you get patched?

    It's nice that Google's "on" it. Funny that Microsoft was on it and patched it before the general public even knew.

    iOS users will get a patch long before even a small fraction of Android users do.

    I think it's time for governments to step to the plate and force the issue here to ensure that consumers get updates without being forced to buy new handsets. That means each manufactured handset must have a guaranteed 4 year support cycle for the OS.

    I think it's also imperative to use anti-trust to strip Android from Google and have it run by a consortium that is responsive to the needs o consumers. Open it up to different stores and strip it from requiring Google services. Google is going to be a problem going forward for Android. It's time to break up the company and separate their ad/search business from other assets in the business, including Chrome.

  11. TallITGuy

    The impression I got from other reporting was that the researchers were in contact with different vendors before going public, so it could be that MS used that disclosure to move forward on creating a patch, rather then them knowing about the vulnerability & sitting on it while silently patching Windows.

  12. tbsteph

    "Google promises a fix for this flaw 'in the coming weeks"? One would assume both Google and Apple were also aware of this security issue before today. Bravo Microsoft for being on top of this!

  13. dontbe evil

    meanwhile google is too busy trying to find windows vulnerabilities

Leave a Reply