facebook rss twitter

Microsoft already patched KRACK WPA2 vulnerability

by Mark Tyson on 17 October 2017, 09:01

Tags: Microsoft (NASDAQ:MSFT), Google (NASDAQ:GOOG), Apple (NASDAQ:AAPL), Linux

Quick Link: HEXUS.net/qadmqg

Add to My Vault: x

Yesterday there was a lot of media coverage concerning the KRACK WPA2 vulnerability. News broke that attackers could decrypt packets on WPA and WPA2 networks by manipulating and replaying cryptographic handshake messages between client devices and access points. This could enable these third parties to read unencrypted data transfers or even inject malware into websites being browsed.

KRACK is an acronym for Key Reinstallation Attacks and is particularly bad news for Android 6 and Linux (wpa_supplicant), which can be tricked into (re)installing an all-zero encryption key. There are several implementations of the KRACK attack possible and OSes vary in their resistance, as illustrated in the table above. However, there is no data suggesting this vulnerability is being exploited in the wild at the time of writing.

Microsoft patched for KRACK last Tuesday

Microsoft’s Windows 7 or newer OSes have already been updated to patch for KRACK vulnerabilities. If you have automatic updates turned on, then from last Tuesday onwards you will have received security updates directly addressing KRACK. You can read about the supplied Windows fix in an advisory document: CVE-2017-13080.

On Patch Tuesday last week this fix was provided but Microsoft didn’t disclose it in the release notes, as the vulnerability was yet to go public.

Android updates

According to The Verge, Google has promised an update for affected devices “in the coming weeks”. As Android 6+ has been highlighted as one of the most vulnerable OSes with regard to this attack, updates could be seen as important. Google Pixel devices should be updated by 6th Nov but other phone brands will undoubtedly lag behind in the race to update.

Apple’s iOS and MacOS devices have already got KRACK patches in beta versions, so fixes for these should appear in coming weeks.



HEXUS Forums :: 4 Comments

Login with Forum Account

Don't have an account? Register today!
HEXUS
Read more.
For the record, BSD, Ubuntu & Debian are also patched up.
It's just a stop gap solution. The only thing that's truly important is patched firmware for access points, routers and modems.
azrael-
It's just a stop gap solution. The only thing that's truly important is patched firmware for access points, routers and modems.

The vulnerability is in the client software, not the server, so if you are using an AP as a base, it should be OK, if it being used as a client (eg, a repeater) it may be at risk.

For users of Draytek products there is an announcement here.

http://www.draytek.co.uk/information/our-technology/wpa2-krack-vulnerability
It's just a stop gap solution. The only thing that's truly important is updating … Android phones.

Reasonably modern Windows, Mac and Linux desktops/laptops can all get updates. Apple phones from the last 3-4 years can run latest iOS and get updates. Hell I suspect even Windows Lumia phones got an update. But I've got a retail Moto X Play still on Android 6, and I've given up expecting an update.

For the majority of Android phone manufacturers it seems security is a flagship-only feature :(