Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Microsoft Security Wireless Networking

Microsoft Has Already Fixed the Wi-Fi Attack Vulnerability; Android Will Be Patched Within Weeks (theverge.com) 136

Microsoft says it has already fixed the problem for customers running supported versions of Windows. From a report: "We have released a security update to address this issue," says a Microsoft spokesperson in a statement to The Verge. "Customers who apply the update, or have automatic updates enabled, will be protected. We continue to encourage customers to turn on automatic updates to help ensure they are protected." Microsoft is planning to publish details of the update later today. While it looks like Android and Linux devices are affected by the worst part of the vulnerabilities, allowing attackers to manipulate websites, Google has promised a fix for affected devices "in the coming weeks." Google's own Pixel devices will be the first to receive fixes with security patch level of November 6, 2017, but most other handsets are still well behind even the latest updates. Security researchers claim 41 percent of Android devices are vulnerable to an "exceptionally devastating" variant of the Wi-Fi attack that involves manipulating traffic, and it will take time to patch older devices.
This discussion has been archived. No new comments can be posted.

Microsoft Has Already Fixed the Wi-Fi Attack Vulnerability; Android Will Be Patched Within Weeks

Comments Filter:
  • A WiFi attack allows one to manipulate a website? That escalated quickly.

    Oh, just /. editors' normal approval of bunk write-ups.

    • by Anonymous Coward

      A WiFi attack allows one to manipulate a website? That escalated quickly.

      Oh, just /. editors' normal approval of bunk write-ups.

      It's actually possibly correct, assuming a non-HTTPS website.
      Which means it's correct but not at all likely.

    • Apparently, at least the linux/android variant of the attack allows the attacker to forge traffic, not only decrypt it.
    • So long as HTTPS isn't implemented, websites could be subjected to modified content submitted by visitors. For instance, browsers visiting self-hosted Wordpress blogs could see a javascript injected into the HTML received. In the background of the session, the user's browser could be comment-spamming the site. If the user is an admin of the site, then the javascript could use the admin's credentials to create other superuser accounts in the background.

      Even if the site's content submission forms are protect
      • by bluelip ( 123578 )

        Modified traffic. Not a modified website.

        • By modifying the traffic, the content of the website can be manipulated. In the example I gave, superuser credentials could even be generated if the administrator visits the website and her HTTP transactions are modified by an attacker.
          • by bluelip ( 123578 )

            No. The website remains the same. The content, as seen by the user, may be altered. Large difference. If credentials are compromised, that's a separate issue.

            • Please go back and read the examples I gave in my original post.

              This vulnerability opens up the user's session to being hijacked in a way that alters the content being submitted to any non-HTTPS website. That content could be forum posts or article comments. It could mean any URL posted in a comment could be changed to point at a pharma scam website. The user's browser could receive javascript injection that starts comment-spamming (as the user) a forum or wordpress site in the background.

              Packet-level ma
              • by bluelip ( 123578 )

                Your examples are marvelous. They're also irrelevant to my point. The website is not altered.

                • The OP wasn’t very clear but I get what he’s trying to say. Basically he’s trying to tell you an attacker is intercepting the traffic of an authorized poster to a Wordpress site, altering the poster’s submission as it is being submitted. As a result, the site content is being altered.
  • The article wasn't quite clear? Made it sound like it was all, already taken care of... but didn't quite specify when that patch was released?

    • So Microsoft "patched" this by not properly implementing the phase 3 handshake re-transmit as it's required in spec of 802.11i from the start.

      Windows rejects retransmit requests, causing the attack to fail.

      • by Dog-Cow ( 21281 ) on Monday October 16, 2017 @12:38PM (#55378129)

        Sounds like a good fix to me. Instead of accepting retransmits, it's safer to restart the entire handshake.

      • by DRJlaw ( 946416 ) on Monday October 16, 2017 @12:46PM (#55378177)

        "The key negotiation process needs to allow for the possibility of radio interference, so it permits the access point to re-send the message that is step three of the handshake. If an attacker sends a copy of this message, the client device will be tricked into reverting back to the original encryption key and initialization vector used at the start of the session. The client's next transmissions will have been encrypted with the same key as earlier transmissions, even though that key was only meant for a single use. That allows for a key reuse attack, which doesn't directly expose the underlying encryption key but does make it relatively easy to decrypt the data that was encrypted, especially if something is known about the structure of the messages that were both encrypted with the same key. IP packet headers, in turn, provide exactly that."

        So Microsoft "patched" this by not properly implementing the phase 3 handshake re-transmit as it's required in spec of 802.11i from the start.

        Yes, if the phase 3 handshake re-transmit required by the specification inherently enables a key reuse attack, then the flaw is not in the implementation, but the specification itself, and security would dictate that one refuse to enable that portion of the specification. Losing the ability to initialize a connection in a high RFI environment, which most installations attempt to avoid and mitigate, is an inconvenience. Having your traffic snooped is quite a bit more of an issue.

  • by DigitAl56K ( 805623 ) on Monday October 16, 2017 @11:51AM (#55377809)

    So now most Android devices are, and will continue to be, vulnerable to both BlueBourne and WPA2 KRACK, meaning that essentially they are wide open to anyone pilfering whatever they want off the device itself and as they communicate over the air. With most manufacturers abandoning updates in 3 years or sooner, and for the small pool of supported devices having very infrequent updates available, many times 3-6 months behind the curve, why do we allow this kind of chronic insecurity?

    It's insane that we allow businesses to behave like this: Give everyone computing devices they use to run their lives - healthcare, credit, banking, social, BYOD work, etc. and leave them open like Swiss cheese.

    • Re: (Score:3, Insightful)

      So, what you're telling me is that all of the affected customers will not be receiving updates, and they'll have to buy a new device?

      What a tragedy. By which I mean, the refusal to provide updates will result in greatly increased sales.

    • This is one of the primary reasons I use iOS. Apple, for all their other negatives, DO support their products pretty well. I know I can expect a good 5 years of updates for my iThing.

      I'm more pissed off at the entire industry as a whole, because we are literally in a situation where consumers have no choice other than to pick the vendor that pisses them off the least. There are literally NO good vendors. They either make crap products, don't support their products, use their products to steal your person

      • No modpoints, but have a "hear, hear"!

      • I have an old iPad 2 (I think) that won't accept any more updates. It'd be nice if Apple made a special update for old devices just for this, since it completely destroys security.

      • But Apple won't port the fix back to previous versions of iOS for devices that can run the latest. I don't want to install iOS 11 because it doesn't offer me anything I want. It'll just slow things down until 11.1 comes out when they have had a chance to work on performance. But there's no way for me to get the security updates to 10 if I want to stay on that version. So now when the patch comes out for iOS 11 I'll have to "upgrade" to 11 just because I use my devices outside of the house.

        At least Apple doe

      • Google patched Blueborn within a day, and Samsung (as the major iPhone competitor) rolled out Blueborne fixes [sammobile.com] within about 2 weeks of it going public.

        The problem is the damn carriers. They delay the manufacturer patches while they do their own "testing" and tweaking (i.e. installing software you can't uninstall), sometimes for months. Apple was able to strongarm the carriers into conceding control over software updates on iPhones. None of the Android manufacturers has enough marketing clout to do the
        • As an end user I really don't care where the problem is. If there's a serious vulnerability, I expect it to be fixed. I don't care if it's Google, the manufacturer, the carrier, or a leprechaun. At the end of the day, if I have an Apple device that is 5 years old, I *will* get an update. If my device is older than that, I may still get an update if the issue is serious enough.

          In the android world, it's a crap shoot. Hell, it was only a couple of years ago or so when the big makers (Samsung, LG, I forge

    • Maybe. I believe the media exploit from a year or two ago on Android was patched on phones assumed abandoned by OEMs.

      Sadly, for many customers they rely on the goodwill of their OEM and telco to provide serious patches. I expect shops like Samsung, Lenovo/Moto, LG, Sony, and HTC to patch pretty much any phone sold in the past 3 years or so.

      Budget buyers, no-name brands, etc are most likely going to be hacked constantly until they replace the phone. KRACK is bad but WPA-AES means they can't inject data and

      • >"Maybe. I believe the media exploit from a year or two ago on Android was patched on phones assumed abandoned by OEMs. "Budget buyers, no-name brands, etc are most likely going to be hacked constantly until..."

        What about Google's OWN DEVICES? I have a Nexus 5 which I bought in Feb 2014 when they were still very new. I haven't had a single update since Dec 2016. The phone works fine, it does what I want, but it will never be patched.

        I don't expect updates forever, but mine didn't even get updates for

        • by nasch ( 598556 )

          If you're nerdy enough, you could get one that satisfies everything but no crapware, and put the Android build of your choice on it.

          • >"If you're nerdy enough, you could get one that satisfies everything but no crapware, and put the Android build of your choice on it."

            I have given it serious consideration but it seems there was always something majorly wrong- either it would break Netflix or break TiVo, or was missing the Google apps, or was too dangerous, or required a lot of maintenance, etc. And if it was a NEW device, it would void the warranty, which is just too risky on a $400-$800 device.

            I suppose I will have to do SOMETHING ev

            • by nasch ( 598556 )

              If it's new, you will be getting updates anyway. If not, you could try stock Android. That should be pretty safe for running whatever app you want, and it will have the Google stuff. And if you don't want to put the latest OS on an older device I believe Google is good about issuing security patches, so you could go back to Lollipop or Marshmallow without giving up security. I don't know that for 100% though so don't take my word for it.

  • by perpenso ( 1613749 ) on Monday October 16, 2017 @12:15PM (#55377975)

    Android Will Be Patched Within Weeks

    What percentage of Android will be patched?
    The 18% with 7/Nougat or better,
    the 50% with 6/Marshmallow or better,
    the 78% with 5/Lollipop or better,
    the 92% with 4.4/Kitkat or better?
    https://developer.android.com/... [android.com]

    • by Merk42 ( 1906718 ) on Monday October 16, 2017 @12:40PM (#55378143)

      Android Will Be Patched Within Weeks

      What percentage of Android will be patched?
      The 18% with 7/Nougat or better,
      the 50% with 6/Marshmallow or better,
      the 78% with 5/Lollipop or better,
      the 92% with 4.4/Kitkat or better?
      https://developer.android.com/... [android.com]

      The .02% with 8/Oreo or better

      • As I know from first hand experience (broadpwn), Samsung SGS8 will get its update in one and a half month after stock android received its patch. Samsung SGS7, SGS6 will get it in 3 months. And SGS5 (which was still for sale just a year ago) will go unpatched for so long that the few users that had one, switched to a brand new iphone.
        Yup, no more samsung in my company.

    • What percentage of Android will be patched?

      Those which are rooted and have available drivers so you can recompile them yourself, plus a couple of randomly chosen models running the newest version of Android 9.53.

    • Not sure why you're quoting version numbers instead of manufacturer support. This isn't iOS. Most security fixes are backported to earlier versions of Android. E.g. Samsung Galaxy Tab 3 which is now 5 years old had it's most recent security update applied in February this year for both devices running 4.4/Kitkat and those which were optionally upgraded to 5/Lollipop by users.

      And that's to say nothing of the many security problems that are resolved in Android by simply updating some application through the p

      • Not sure why you're quoting version numbers instead of manufacturer support. This isn't iOS. Most security fixes are backported to earlier versions of Android. E.g. Samsung Galaxy Tab 3 which is now 5 years old had it's most recent security update applied in February this year for both devices running 4.4/Kitkat and those which were optionally upgraded to 5/Lollipop by users.

        A Samsung branded device is no assurance of a patch. I have older Galaxy S phones that have not been offered patches in years.

        • I have a Galaxy S4, last patch was in March. I have an S5 last patch was 3 weeks ago.

          Prior to that there existed no patching framework as it was only introduced in KitKat.

          • I have a Galaxy S4, last patch was in March. I have an S5 last patch was 3 weeks ago.

            Prior to that there existed no patching framework as it was only introduced in KitKat.

            My S4 mini hasn't patched in years.

            • Samsung issued security updates to the S4 mini in April this year, and before that November last year. Sounds like your shitty carrier is getting in the way.

              • Samsung issued security updates to the S4 mini in April this year, and before that November last year. Sounds like your shitty carrier is getting in the way.

                As I said, a Samsung branded device is no assurance of a patch.

                • As I said, not Samsung's fault, not Google's fault, and quite critically to the very core of my original post: Nothing at all to do with vendors not updating the Android version.

                  • It doesn't matter whose fault it is. The fact remains, a Samsung branded device is no assurance of a patch.
      • >"Not sure why you're quoting version numbers instead of manufacturer support. This isn't iOS. Most security fixes are backported to earlier versions of Android"

        Even that doesn't help much as an explanation, either. I am one of the 50% that have Android 6.0.1, but it is on a Nexus 5. Google hasn't pushed a single OS update since Dec 2016, and likely never will. So I won't matter if they push it to older versions of Android, because I still won't get it, even on Google's own device.

        • That's not a guarantee. Google has pushed out security updates for devices past it's guaranteed security update window in the past. But all in all you're still talking about a single device. The problem is ultimately one of vendors. In the security and core OS the issue is long solved.

          E.g. 2017-09-01 security update which I got on my more than 3 year old Samsung devices has been back ported all the way to KitKat, and I actually own a Tab 3 which still runs KitKat which received a security update earlier thi

          • >"The problem is ultimately one of vendors. In the security and core OS the issue is long solved."

            My point in all this was the original statement about back-porting it to Android 6. Even Google won't update their own Nexus devices running Android 6 [with other bug and security fixes], so why would any other vendor? Now, I say that, but I suppose it is POSSIBLE Google might update older devices running 6... I don't think we have had a security concern of this magnitude in recent history, so I guess we j

            • so why would any other vendor?

              What a silly statement. Because not all vendors are the same? I just gave you an example of 2 devices which are almost twice as old running versions of Android far earlier than the Nexus. Don't put Google on some pedestal of perfection that other's can't reach or even exceed.

              What google decides to push specifically to the Nexus 5 has nothing to do with what fixes they apply to Android, fixes which they patch all the way to KitKat.

        • by nasch ( 598556 )

          You're agreeing with him. He said the issue is manufacturer support, not OS version, and that's exactly the problem you described.

          • >"You're agreeing with him. He said the issue is manufacturer support, not OS version, and that's exactly the problem you described."

            Yeah, I am probably too tired to be replying right now ;)

  • by Anonymous Coward

    Google has promised a fix for affected devices "in the coming weeks."

    As a Nexus 5 owner, I'm not holding my breath on that being a true statement.

  • I guess that explains why my Win10 box rebooted by itself two days ago.

  • by 140Mandak262Jamuna ( 970587 ) on Monday October 16, 2017 @12:50PM (#55378213) Journal
    From what I understand, the attack is on the router, forcing it to re use known keys for encryption. How do the client devices fix this issue?
    • by guruevi ( 827432 )

      The problem is on the client imho. Basically what you do is replay the authentication packet "as if" the packet got lost and you're just asking for the packet to be re-sent. The client will then re-send predictable data (zeros) which an attacker can thus use to decrypt the key.

      It's a bit similar to the apocryphal story about hacking the Enigma, if you send "Heil Hitler" at the end of every message or weather reports, you can guess those portions of a key and by calculating back/forwards you can get a number

    • By ignoring any attempt to re-transmit and restarting the entire handshake process from the beginning. Ultimately it will result in a slower connection if something doesn't go perfectly the first go but the security flaw relies on a spec feature that was designed to cope with transmission errors during the negotiation process.

  • It's not just the phones, tablets and computers that need to be updated. Since it's clients that need to be patched it's everything that connects to the network. Thermostats, scales, TVs, digital photo frames, ...

  • Unless the patch was deployed before the vulnerability was exposed, the word "already" shouldn't be in the headline.

  • OK, so how do I check whether a system has been pwned via any of these CVE's before being patched? openBSD provided system updates that essentially leaked the vulnerability, and government agencies have known for at least two months, not to mention everyone that they notified. Of course, we all have complete faith in the fidelity of our beloved United States government and all commercial corporations - they've never let us down.....

    Does anyone have utilities that checks all system programs and critical file

  • ... and first than MS, but I think they're not paying media like TheVerge to share this.
  • "within weeks". Epic customer support.

Were there fewer fools, knaves would starve. - Anonymous

Working...