Technology companies are starting to respond to a new Wi-Fi exploit affecting all modern Wi-Fi networks using WPA or WPA 2 encryption. The security vulnerabilities allow attackers to read Wi-Fi traffic between devices and wireless access points, and in some cases even modify it to inject malware into websites. Security researchers claim devices running macOS, Windows, iOS, Android, and Linux will be affected by the vulnerabilities.
Microsoft says it has already fixed the problem for customers running supported versions of Windows. “We have released a security update to address this issue,” says a Microsoft spokesperson in a statement to The Verge. “Customers who apply the update, or have automatic updates enabled, will be protected. We continue to encourage customers to turn on automatic updates to help ensure they are protected.” Microsoft says the Windows updates released on October 10th protect customers, and the company “withheld disclosure until other vendors could develop and release updates.”
While it looks like Android and Linux devices are affected by the worst part of the vulnerabilities, allowing attackers to manipulate websites, Google has promised a fix for affected devices “in the coming weeks.” Google’s own Pixel devices will be the first to receive fixes with security patch level of November 6, 2017, but most other handsets are still well behind even the latest updates. Security researchers claim 41 percent of Android devices are vulnerable to an “exceptionally devastating” variant of the Wi-Fi attack that involves manipulating traffic, and it will take time to patch older devices.
The Verge has reached out to a variety of Android phone makers to clarify when security patches will reach handsets, and we’ll update you accordingly. At the time of writing, Apple has not yet clarified whether the latest versions of macOS and iOS are vulnerable.
The Wi-Fi Alliance, a network of companies responsible for Wi-Fi, has responded to the disclosure of the vulnerabilities. “This issue can be resolved through straightforward software updates, and the Wi-Fi industry, including major platform providers, has already started deploying patches to Wi-Fi users,” says a Wi-Fi Alliance spokesperson. “Users can expect all their Wi-Fi devices, whether patched or unpatched, to continue working well together.”
Apple also confirmed to both The Verge and AppleInsider that the vulnerability is patched in a beta version of the current operating systems. The fix should go public in a few weeks, so iOS and macOS devices aren't in the clear just yet. AppleInsider also reports that AirPort hardware, including the Time Machine, AirPort Extreme base station, and AirPort Express do not have a patch. The publication's source also wasn't sure if one was in the works.
Update, 2PM ET: New Microsoft statement added.
Update, 3PM ET: Apple comment added.
Comments
"At the time of writing, Apple has not yet clarified whether the latest versions of macOS and iOS are vulnerable." It is not so much the OS’s of Apples that concerns some of us but the routers of Apples. Does it just affect software or is it a firmware update that Apple could patch. The article isn’t cleared on this.
By Barry Marshall on 10.16.17 10:09am
This is primarily a client side attack, so you’ll need to update devices. Check the links to the previous coverage for full details.
By Tom Warren on 10.16.17 10:25am
https://www.krackattacks.com/ as linked in your other article.
The protocol itself is broken. The information provided there said that either the router or the devices needed to patched for this.
By EarlyMon on 10.16.17 12:33pm
Dear Verge, a link the the Microsoft update would be very helpful? I just checked Windows Update and tried Google etc. to no avail, please throw us a bone
By donotbugme on 10.16.17 10:12am
Patch Tuesday.
Companies were announced before it was made public.
By Alin Maior on 10.16.17 10:20am
A key part of the story to read: "Microsoft is planning to publish details of the update later today."
By Tom Warren on 10.16.17 10:24am
Thank you!
By donotbugme on 10.16.17 2:03pm
Got a patch from Microsoft at about 2:00pm Central time. It was just an automatic update. No issues to report.
By Mergatroid Mania on 10.16.17 4:40pm
My understanding was that we were still in a mitigation stage rather than a fix, because there’s an underlying issue with the standard (retransmission of packets that are dropped during the initial handshake), and that aspect isn’t so easily fixed. Is that incorrect, or are companies saying they’ve fixed the issue when actually they just mean they’ve fixed some aspects of the hack?
By Polycrastinator on 10.16.17 10:25am
The issue is that how to handle retransmitted HS MSG3 frames is undefined in the spec. That has some problematic consequences with how parsing of MSG3 is supposed to be done.
Windows ends up being immune to all of the retransmit exploits because Microsoft defined how to handle retransmits a decade ago; reject the packet. The spec allows that, and it protects against most of todays exploits.
By Exhale on 10.16.17 8:14pm
Important to highlight from the krackattacks website and something I haven’t seen the coverage mention yet:
(Emphasis theirs)
By GambaKufu on 10.16.17 10:41am
Well, that was fast.
By jorgbanos on 10.16.17 10:55am
It was disclosed to OS makers in July.
Apple still has no patched any of their OSs.
By SunAraw on 10.16.17 11:20am
Apple is too busy patching the problems they introduced in iOS 11…but this should hit one of the 11.0x patches they are issuing every few days now, hopefully.
By ChrisCW on 10.16.17 11:28am
"At the time of writing, Apple has not yet clarified whether the latest versions of macOS and iOS are vulnerable."
But if you want to take that to mean "Apple still has [no] patched any of their OSs.", go right ahead.
By The Real DMC on 10.16.17 12:36pm
In the realm of security, assume the worst. So, yes, take that to mean Apple hasn’t fixed it.
By Winklemeier on 10.16.17 2:40pm
Oh is that how it works? Assume the worst when it comes to security?
Your home is secured with a key. Assume the worst. Someone has it. You left your keys out of sight for a while last week and a nefarious thief made a copy of the key while you weren’t paying attention. Go change your locks. Right now. Nope, don’t argue, you have to assume the worst, logic be damned.
By The Real DMC on 10.16.17 6:16pm
Until defined otherwise, you always assume that state is unchanged.
Vulnerable remains vulnerable until explicitly proven otherwise.
By Exhale on 10.16.17 7:41pm
Well, it would be more like you left your keys next to a paper with your address right there on the beach in the middle of a thousand automated beach combers looking for exactly that for the express purpose of breaking into someone’s house tonight (hopefully 2).
Sure, you might be lucky or unlucky on any given day, but ignoring the reality of the situation is not good practice.
By cyrribrae on 10.16.17 7:43pm
Okay, how’s this:
"Assume the worst, but don’t be an idiot about it"
By Winklemeier on 10.17.17 6:13pm
Wait for the tweetstorms from concerned pundits demanding MS rolls out this patch to Windows XP users.
By texazzpete on 10.16.17 11:45am
If there is still a significant number of XP users out there (And there is) then it makes sense to patch them. All you’re doing by NOT patching them is allowing more insecure machines to be compromised. That doesn’t do anyone any good. It’s obvious that people on XP aren’t in any hurry to update, so withholding security patches just puts the entire infrastructure at a higher risk.
By Robb-Nunya on 10.16.17 11:49am
You are right, to my knowledge ATM machines for many banks still use XP
By Gabriel Hernandez6 on 10.16.17 12:34pm
Yes, and banks pay Microsoft to keep delivering security updates for XP so ATM’s will get the patch. It was cheaper for the banks to pay Microsoft then to upgrade to a newer version, or change OS’s completely.
By ginandbacon on 10.16.17 1:17pm
I wonder how many ATMs use WiFi vs a wired connection.
By Winklemeier on 10.16.17 2:41pm