Careers & Certifications

05:01 PM
Connect Directly
RSS
E-Mail
50%
50%

Microsoft Patches Windows XP Wireless, Tells No One

The patch is designed to make surfing public wireless hotspots safer by reducing the chance of "man-in-the-middle" attacks.

Microsoft quietly posted a Windows XP SP2 patch to make surfing public wireless hotspots safer, but didn't include it with the December security updates released Tuesday and hasn't posted it as a download from Microsoft Update.

The update fixes a long-standing security problem in Windows XP SP2, which starts an automatic scan for wireless networks when a laptop boots or powers up from hibernation. Windows' Wi-Fi client goes through a list of previously used wireless networks, and if it finds one, connects. The convenience, however, is offset by possible "man-in-the-middle" attacks, where criminals monitor hotspot traffic and then dupe others' notebooks into connecting to their PC, which is posing as an access point. Once an attacker has tricked a user into connecting to the rogue hotspot, he can capture all wireless data, including passwords or other confidential information.

"This update helps prevent a Windows wireless client from advertising the wireless networks in its preferred networks list," Microsoft said in a support document posted in late November.

Finnish security vendor F-Secure confirmed that the practice of broadcasting the names of wireless networks is dangerous. "Advertising the name of your preferred networks creates the potential for a man-in-the-middle attack," wrote F-Secure in a blogged warning.

When asked to explain why the patch wasn't distributed through Automatic Updates or posted to the Microsoft Update Web site, a company spokesperson didn't directly respond, but only pointed out an October security advisory that described an earlier edition of the fix. Microsoft typically follows up an advisory with an official patch deployed as a security update, but didn't do so in this case. The advisory offers no additional explanation.

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Slideshows
Cartoon
Audio Interviews
Archived Audio Interviews
Jeremy Schulman, founder of Schprockits, a network automation startup operating in stealth mode, joins us to explore whether networking professionals all need to learn programming in order to remain employed.
White Papers
Register for Network Computing Newsletters
Current Issue
Video
Twitter Feed