This morning we talked about a researcher from KU Leuven University in Belgium who had discovered a major security vulnerability in the WiFi Protected Access II (WPA2) protocol that is used to secure wireless internet traffic. That vulnerability could be used to allow a nefarious attacker to glean confidential details sent over WiFi such as usernames and passwords for secure websites. At least one software company didn't waste any time with an update, with Microsoft confirming that it released an update on October 10th that addressed the exploit.
Microsoft has released a patch that will fix the vulnerability on all supported versions of Windows (i.e. Windows 8.1 and later). “We have released a security update to address this issue,” said a Microsoft spokesperson in a statement to The Verge. “Customers who apply the update, or have automatic updates enabled, will be protected. We continue to encourage customers to turn on automatic updates to help ensure they are protected.” The spokesman went on to add that Microsoft “withheld disclosure until other vendors could develop and release updates.”
The rapid release of the patch shows how serious Microsoft took the issue despite the fact that Windows isn't as vulnerable to the attack as Linux-based platforms such as Android. The reason that Linux-based platforms such as Android are more susceptible to the flaw is that Android devices don't require a unique encryption key.
The exploit involves the attacker cloning a wireless network that uses WPA2 encryption, impersonating the MAC address, and then changing the Wi-Fi channel of the device. This allows the intruders to force devices to connect to the fake network rather than the legitimate network. Once the target devices are on the fake network, the attackers are able to snoop on the data sent and received wirelessly more easily.
To utilize the exploit, the attacker only need be within connecting distance of the target network, making this a big issue for public networks. While Microsoft has issued a patch for "Krack Attack" as the exploit is known, Google is still getting its patch for Android devices ready. Google is promising that the patch will be available for Android devices by November 6th.
Considering that many Android device makers have their own custom UI over the top of Android, it could be later than November 6th before many Android devices have a patch available. The Wi-Fi Alliance is requiring all partner companies to check their Wi-Fi devices for vulnerabilities relating to the exploit and to issue patches. As of now, Apple has offered no details on when a patch might land or if its devices will require a patch.