Microsoft Tweaks Windows XP Wireless Security
Microsoft last month quietly issued a long-overdue update to fix a simple yet potentially dangerous security weakness in the way embedded wireless cards work on Windows XP laptops.
Open up an XP portable, and if you're looking with the right tools you'll notice the machine starts scanning for wireless networks that it recognizes. It does this by sending out a beacon advertising the names of the networks it is seeking. An XP laptop will run through the entire list of network names with which it has previously associated, over and over, until the machine has associated with a network. Some wireless adapters will go so far as to automatically probe for randomly generated network names.
The upshot of all this is bad guys can take advantage of these behaviors, as I wrote in January at the Shmoocon hacker conference, where security gadfly Mark "Simple Nomad" Loveless called attention to this problem. Loveless showed that by sniffing the wireless requests sent out by a target XP machine, an attacker can learn the name of a previously associated network and force the target to connect directly to the attacker's PC, which for all intents and purposes appears to the would-be victim as just another wireless access point (assuming the victim is even paying attention during all of this.)
Even before Nomad's talk, this problem had been brought to Microsoft's attention by security researcher Dino Dai Zovi, who months earlier gave a presentation at Microsoft's invitation-only Blue Hat security conference in which he demoed how such an attack might work.
"In a hall of 400-500 engineers, we hijacked upwards of 100 clients instantly, enough that our Linux laptop became unstable from all the wireless traffic passing through it," Dai Zovi recalled in a writeup sent to the Bugtraq security mailing list. "In practice, since nearly every roaming laptop has at least one unencrypted hotspot network in [its] preferred/trusted networks, almost all Windows XP and Mac OS X laptops are susceptible to this kind of attack."
Note that last line: Mac OS X had this very same problem, one that it fixed in July 2005, just a couple of months after Dai Zovi's presentation.
Microsoft doesn't classify this as a "security update," but if you're using a Windows laptop, it's a good idea to apply this patch. According to Dai Zovi, using a software firewall (even the built-in Windows Firewall) will prevent vulnerable XP machines from being attacked via this weakness.
"However, when the attacker controls the DHCP and DNS server (as they do when they are acting as a rogue access point), the victim [computer] can be attacked when it makes outbound connections," Dai Zovi wrote in an e-mail to Security Fix. (DHCP servers are responsible for handing out network addresses to computers on the fly, and DNS servers serve as a kind of "yellow book" for Internet traffic, translating human-friendly Web site names into numeric Internet addresses that are easier for computers to understand.)
Dai Zovi continues: "The rogue access point coerces the client into connecting to the attacker's machine, thus obviating the firewall. This usually requires the user having Web or mail software running, but automatic outbound network requests from [those kinds of programs are] very common and these may be attacked."
This patch did not show up when I ran a Microsoft Update scan on my HP laptop (even under optional updates), but you can manually download and install it from here.
December 13, 2006; 3:02 PM ET
Categories: New Patches
Save & Share: Previous: Microsoft's Monthly Patch Release Plugs 11 Security Holes
Next: Ransom-Mail: All Your E-Mails Are Belong to Us
Posted by: Rich Gibbs | December 13, 2006 3:05 PM | Report abuse
Posted by: Ivan Groznii | December 13, 2006 5:29 PM | Report abuse
Posted by: Tim | December 13, 2006 6:47 PM | Report abuse
Posted by: bah | December 14, 2006 4:28 AM | Report abuse
Posted by: G H Mahoney | December 14, 2006 5:37 AM | Report abuse
Posted by: Jason | December 14, 2006 12:32 PM | Report abuse
Posted by: Jason | December 14, 2006 12:38 PM | Report abuse
Posted by: TonyL | December 14, 2006 3:25 PM | Report abuse
Posted by: Tim | December 14, 2006 4:49 PM | Report abuse
Posted by: WGA'd to death | December 14, 2006 7:46 PM | Report abuse
Posted by: firstname.lastname@example.org | December 15, 2006 12:39 AM | Report abuse
Posted by: Ebooker | December 19, 2006 12:38 AM | Report abuse
Posted by: Bud | December 20, 2006 11:37 AM | Report abuse
The comments to this entry are closed.