MS: Windows Phone 8 Wi-Fi Vulnerable, Cannot Be Patched

Freshly Exhumed writes "Microsoft advises that a cryptographic problem in the PEAP-MS-CHAPv2 protocol used in Windows Phone 8 to provide WPA2 authentication allows a victim's encrypted domain credentials to be collected by an attacker posing as a typical WiFi access point. Redmond further states that this problem cannot be patched, although a set of manually entered configuration changes involving root certificates on all WP8 phones and on WiFi access points will apparently address the issue. WP7.8 phones are likewise vulnerable."

Why can't it be patched?

[metrix007]

If it can be fixed through manual configuration changes, why can't a patch make those same configuration changes?

Wait

[jayhawk88]

What's so special about Windows Phone 8/7.8 with regards to this issue? If you're not requiring a cert validating the identity of your radius server/access point/whatever, ANY device is going to be vulnerable to a spoofed SSID kind of attack, right?

Re:Why can't it be patched?

[Anonymous Coward]

watch as your actual-factual answer languishes at 0 while the "funny" comment about the NSA gets +5 Insightful.

Re:Why can't it be patched?

[DrXym]

Sounds like Microsoft has most to fear on their own campuses since I doubt that there are many other businesses with a high enough concentration of vulnerable phones who would be worth the risk.