Microsoft quietly posted a Windows XP SP2 patch to make surfing public wireless hotspots safer, but didn't include it with the December security updates released Tuesday and hasn't posted it as a download from Microsoft Update.
The update fixes a long-standing security problem in Windows XP SP2, which starts an automatic scan for wireless networks when a laptop boots or powers up from hibernation. Windows' Wi-Fi client goes through a list of previously used wireless networks, and if it finds one, connects. The convenience, however, is offset by possible "man-in-the-middle" attacks, where criminals monitor hotspot traffic and then dupe others' notebooks into connecting to their PC, which is posing as an access point. Once an attacker has tricked a user into connecting to the rogue hotspot, he can capture all wireless data, including passwords or other confidential information.
"This update helps prevent a Windows wireless client from advertising the wireless networks in its preferred networks list," Microsoft said in a support document posted in late November.
Finnish security vendor F-Secure confirmed that the practice of broadcasting the names of wireless networks is dangerous. "Advertising the name of your preferred networks creates the potential for a man-in-the-middle attack," wrote F-Secure in a blogged warning.
When asked to explain why the patch wasn't distributed through Automatic Updates or posted to the Microsoft Update Web site, a company spokesperson didn't directly respond, but only pointed out an October security advisory that described an earlier edition of the fix. Microsoft typically follows up an advisory with an official patch deployed as a security update, but didn't do so in this case. The advisory offers no additional explanation.