Categories
News

Microsoft already fixed KRACK WPA2 vulnerability

KRACK, the Wi-Fi security vulnerability, has come as a shock to the technology companies including Microsoft, Apple, and Google. While the other companies are still looking for a security solution, Microsoft has released security updates for its Windows on Tuesday.

Microsoft Security Response Center releases security bulletins monthly on a Tuesday (called Patch Tuesday), and this month they released security updates on 10th October. Microsoft had not disclosed that the new security features also address the KRACK until this vulnerability came in sight on Monday.

The users who had already installed the Patch Tuesday’s security updates, already installed a fix for the KRACK vulnerability, albeit unknowingly.

“In partnership with the International Consortium for Advancement of Cybersecurity on the Internet (ICASI), Microsoft participated in a multi-vendor coordinated disclosure to acknowledge and describe several Wi-Fi Protected Access (WPA) vulnerabilities,” Microsoft said in an update description.

The affected Windows-based systems need to enter a connected standby mode in low-power situations to offload the vulnerabilities installed on Wi-Fi hardware. Microsoft also suggested the customers to contact their Wi-Fi hardware vendors to obtain updated device drivers.

The new security updates from Microsoft are available on all versions, according to catalog listing, including Windows 7, Windows 8.1, Windows 10, Windows Server 2008, Windows Server 2012 and Windows Server 2016.

Also read: Every Wi-Fi enabled device vulnerable to a new security attack called KRACK

Microsoft’s new security release consists of security updates for Internet Explorer, Microsoft Edge, Skype for Business, Lync, Chakra Core, Microsoft Office Services and Web Apps.

Categories
News

Every Wi-Fi enabled device vulnerable to a new security attack called KRACK

Security researchers have discovered weaknesses in the WPA2 (Wi-Fi Protected Access II), the security protocol for most modern Wi-Fi networks. An attacker within the range of victim can interrupt credit card numbers, passwords, photos, and other sensible information using the bug called KRACK (Key Reinstallation Attacks).

What this means is that the security built into Wi-Fi is likely ineffective, and we should not assume it provides any security. If the security problem which researchers have discovered is true, then it will be very difficult to fix it. Because the WPA2 is built into almost every internet connected device.

During the initial research, it was found that Android, Linux, Apple, Windows, OpenBSD, MediaTek, Linksys, and others are all affected by some variant of attacks. The attacks against Linux and Android 6.0 or higher devices could be devastating because these devices can be tricked into (re)installing an all-zero encryption key. Currently 41% of Android devices are vulnerable to this attack.

It is also possible that attackers can inject and manipulate data depending on the network configuration, such as ransomware or other malware data into websites.

US Homeland Security’s cyber-emergency unit US-CERT confirmed the news of vulnerability on Monday and described the research this way- “US-CERT has become aware of several key management vulnerabilities in the 4-way handshake of the Wi-Fi Protected Access II (WPA2) security protocol. The impact of exploiting these vulnerabilities includes decryption, packet replay, TCP connection hijacking, HTTP content injection, and others. Note that as protocol-level issues, most or all correct implementations of the standard will be affected. The CERT/CC and the reporting researcher KU Leuven, will be publicly disclosing these vulnerabilities on 16 October 2017.”

Most of the protected Wi-Fi networks including personal and enterprise WPA2 networks are affected by the KRACK and are at risk of attack. All the clients and access points that were examined by researchers were vulnerable to some variant of the attack. The vulnerabilities are indexed as: CVE-2017-13077, CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, CVE-2017-13082, CVE-2017-13084, CVE-2017-13086, CVE-2017-13087, CVE-2017-13088.

“The weakness lies in the protocol’s four-way handshake, which securely allows new devices with a pre-shared password to join the network. If your device supports Wi-Fi, it is most likely affected,” said Mathy Vanhoef, a computer security academic, who found the flaw.

Changing the passwords is not going to work even if you set a strong one. So, update all your devices and operating systems to the latest versions. As of now, users can protect themselves by sticking with sites that have HTTPS security, and keeping the Wi-Fi off. Since the security issue is related to Wi-Fi, the attacker has to be within a range, and the odds of widespread attacks are apparently low.

Also read: Many organizations unprepared for DNS attacks, reveals new global survey

The warning came at Black Hat security conference, and is scheduled to be formally presented on November 1 at ACM Conference on Computer and Communications Security (CCS) in Dallas.