What Wi-Fi Security Problem? Windows is Already Patched

What Wi-Fi Security Problem? Windows is Already Patched

You may have heard about a massive new Wi-Fi security vulnerability. But if you’re using Windows, you’re all set: Microsoft already issued a patch that fixes the flaw.

“We have released a security update to address this issue,” a Microsoft statement explains. “Customers who apply the update, or have automatic updates enabled, will be protected. We continue to encourage customers to turn on automatic updates to help ensure they are protected.”

Windows Intelligence In Your Inbox

Sign up for our new free newsletter to get three time-saving tips each Friday — and get free copies of Paul Thurrott's Windows 11 and Windows 10 Field Guides (normally $9.99) as a special welcome gift!

"*" indicates required fields

This field is for validation purposes and should be left unchanged.

One can safely assume that means “all supported versions of Windows,” and not just Windows 10. But the software giant says it will provide more details in a blog post later today. But I find it interesting that Microsoft already fixed this issue. It suggests they’ve known about it for some time.

Update: Microsoft has provided additional details.

“Microsoft released security updates on October 10, 2017 as part of Update Tuesday to resolve this vulnerability in all affected editions of Windows. Customers who have Windows Update enabled and who applied the latest security updates are protected automatically.”

Anyway, if you’ve not heard, a security researcher today disclosed a massive vulnerability in the WPA2 security protocol that is used to encrypt Wi-Fi traffic.

“The attack works against all modern protected Wi-Fi networks,” the researcher noted. “If your device supports Wi-Fi, it is most likely affected.” So. All of them, then.

By the way, if you’re an Android user too, Google promises a fix for this flaw “in the coming weeks.” This is important because the attack is apparently “exceptionally devastating against Linux and Android 6.0 or higher.”


Tagged with

Share post

Please check our Community Guidelines before commenting

Conversation 26 comments

  • LocalPCGuy

    16 October, 2017 - 2:23 pm

    <p>What is the KB of "the update" that fixes the problem. It's not mentioned.</p>

    • Chris

      Premium Member
      16 October, 2017 - 9:33 pm

      <blockquote><a href="#207772"><em>In reply to LocalPCGuy:</em></a></blockquote><p>It appears to have different KB's for each OS patch. It looks to be about 18 different KB's, covering Windows 7 to 10, and Server 2008 to 2016 (x86, x64 and even Itanium)</p>

  • tbsteph

    16 October, 2017 - 2:29 pm

    <p>"Google promises a fix for this flaw 'in the coming weeks"? One would assume both Google and Apple were also aware of this security issue before today. Bravo Microsoft for being on top of this!</p>

  • TallITGuy

    16 October, 2017 - 2:30 pm

    <p>The impression I got from other reporting was that the researchers were in contact with different vendors before going public, so it could be that MS used that disclosure to move forward on creating a patch, rather then them knowing about the vulnerability &amp; sitting on it while silently patching Windows.</p>

  • jrickel96

    16 October, 2017 - 2:35 pm

    <p>And it'll take how long for an Android user to get a security fix? Will most of them ever get it until they buy a new phone? Pixel users will get it quickly. What if your phone is over two years old? Will you get patched?</p><p><br></p><p>It's nice that Google's "on" it. Funny that Microsoft was on it and patched it before the general public even knew. </p><p><br></p><p>iOS users will get a patch long before even a small fraction of Android users do. </p><p><br></p><p>I think it's time for governments to step to the plate and force the issue here to ensure that consumers get updates without being forced to buy new handsets. That means each manufactured handset must have a guaranteed 4 year support cycle for the OS. </p><p><br></p><p>I think it's also imperative to use anti-trust to strip Android from Google and have it run by a consortium that is responsive to the needs o consumers. Open it up to different stores and strip it from requiring Google services. Google is going to be a problem going forward for Android. It's time to break up the company and separate their ad/search business from other assets in the business, including Chrome.</p>

  • Jester

    Premium Member
    16 October, 2017 - 3:07 pm

    <p>Worth noting that either the access point or device needs be patched and your OK.</p>

    • MarkWibaux

      Premium Member
      16 October, 2017 - 10:52 pm

      <blockquote><a href="#207790"><em>In reply to Jester:</em></a></blockquote><p>Not really, you need to do both (if you are running 802.11r on you SSID). You can mitigate the client issues by making AP changes but it's not a fix.</p><p><br></p><p>Quoting from revolutionwifi blog</p><p><br></p><p><span style="color: rgba(26, 26, 26, 0.7);">There are 9 vulnerabilities that are client related and 1 that is AP / Infrastructure related. All are implementation issues, meaning software patching can fix them! Of the 9 CVE's related to clients, ALL can be mitigated with AP / Infrastructure updates as a workaround, but the infrastructure won't be able to determine if failure is from packet loss issues or attack. The long-term fix is definitely client software patching. The 1 CVE related to AP / Infrastructure is related to 802.11r Fast Transition – if you have it enabled you should patch ASAP. If not, no big deal. Many, many thanks go to Hemant Chaskar, Mojo Networks, and Pentester Academy!</span></p>

  • Oasis

    Premium Member
    16 October, 2017 - 3:17 pm

    <p>No Update for Windows 7 (yet)…..</p><p><br></p><p>Microsoft says it has already fixed the problem for customers running supported versions of Windows. “We have released a security update to address this issue,” says a Microsoft spokesperson in a statement to <em>The Verge</em>. “Customers who apply the update, or have automatic updates enabled, will be protected. We continue to encourage customers to turn on automatic updates to help ensure they are protected.” Microsoft says the <a href="https://go.redirectingat.com?id=66960X1514734&amp;xs=1&amp;url=https%3A%2F%2Fportal.msrc.microsoft.com%2Fen-US%2Fsecurity-guidance%2Fadvisory%2FCVE-2017-13080&quot; target="_blank">Windows updates released on October 10th</a> protect customers, and the company “withheld disclosure until other vendors could develop and release updates.” The Verge….</p>

  • timothyhuber

    Premium Member
    16 October, 2017 - 3:20 pm

    <p>Let's see how quickly other companies can respond. As I have have a fair bit of Google hardware (Android phones, Chromecast Audio, OnHub and Google Wifi, and Google Home) here's hoping they move fast.</p>

  • matsan

    Premium Member
    16 October, 2017 - 3:54 pm

    <p>Ubiquity was able to roll out new firmware for most of their access-points within hours so clearly this flaw must have been known for some time.</p>

    • wright_is

      Premium Member
      17 October, 2017 - 3:13 am

      <blockquote><a href="#207801"><em>In reply to matsan:</em></a></blockquote><p>Usually affected companies are given around 3 months notice, before researchers go public.</p>

  • Roger Ramjet

    16 October, 2017 - 4:01 pm

    <p> Anyone see the irony in this? Google are the big bad security researchers that point fingers at, most specifically, Microsoft all of the time (one would think this seems more like competitive information releases rather than neutral "security research", but whatever).</p><p>Just last week, they even went after Microsoft for patching supported Windows versions only, or for patching versions one after another, claiming this exposes unpatched versions to exploits and is bad, bad Microsoft.</p><p>Now, a gigantic systemic security flaw in WiFi is revealed (known to all the companies before being put out in public), and Microsoft is ready on day 1, Google is promising some future date, not only that, on that future date, Google will first fix their own Pixel phones, then others later still. At least that is the promise. This is kinda Chutzpah, no?</p>

    • Jhambi

      17 October, 2017 - 12:51 am

      <blockquote><a href="#207804"><em>In reply to Roger Ramjet:</em></a></blockquote><p><br></p><p>I guess. No need to be smug about it though, especially since the author has made the case for using an Android device recently.</p>

    • illuminated

      17 October, 2017 - 3:19 pm

      <blockquote><a href="#207804"><em>In reply to Roger Ramjet:</em></a></blockquote><p>Everybody should go back to fixing bugs. Stop being stupid platformists like karma77police. Something is wrong with that guy. Anyway, sometimes Microsoft is first, sometimes Google is. There is no point in being very smug about your favorite platform. I've seen some people with their smugness going off the charts. Why is that? I have windows 7, 10, 16 bunch of linux instances, android and windows phone. No big deal…</p>

    • dontbe evil

      18 October, 2017 - 10:03 am

      <blockquote><a href="#207804"><em>In reply to Roger Ramjet:</em></a></blockquote><p>I agree they're too busy trying to find windows vulnerabilities, is called karma</p><p>neowin.net/news/up-to-50-of-android-devices-impacted-by-wpa2-vulnerability</p><p><br></p>

  • skane2600

    16 October, 2017 - 4:26 pm

    <p>Just another bit of evidence that the "many eyes" theory of open source is bunk.</p>

    • Username

      16 October, 2017 - 5:59 pm

      <blockquote><a href="#207808"><em>In reply to skane2600:</em></a></blockquote><p>Of course if you bothered to read the linked article you’d know ”<em style="color: rgb(54, 54, 54);">The weaknesses are in the Wi-Fi standard itself, and *not in individual products or implementations*. Therefore, any *correct* implementation of WPA2 is likely affected.</em><span style="color: rgb(54, 54, 54);">“</span></p><p>Additionally, vast majority of de facto standards are open – that’s that allows them to become.. standard.</p><p><br></p><p>Kudos to Paul for selective quoting.</p>

  • peterh_oz

    18 October, 2017 - 4:47 am

    <p>Stop and listen to the tech media, and media in general, congratulating Microsoft &amp; criticising Google &amp; Apple for their patching speeds … *crickets* #hypocrites</p>

  • Bob Shutts

    18 October, 2017 - 9:56 am

    <p>Wow. Who's doing all the down voting here?</p>

  • dontbe evil

    18 October, 2017 - 10:00 am

    <p>meanwhile google is too busy trying to find windows vulnerabilities</p>

Windows Intelligence In Your Inbox

Sign up for our new free newsletter to get three time-saving tips each Friday

"*" indicates required fields

This field is for validation purposes and should be left unchanged.

Thurrott © 2023 Thurrott LLC