Welcome Guest. | Log In| Register | Membership Benefits

THE TECHWEB BLOG

Why Didn't Microsoft Update Everyone With XP Wireless Fix?

More than three weeks ago Microsoft very quietly posted an update to Windows XP SP2 that promises to make wireless surfing safer. So why wasn't it pushed to everyone via Automatic Updates?

The update -- which can be downloaded from here, validation required -- is designed to, as Microsoft says in the accompanying support document, "help prevent the Windows wireless client from advertising the wireless networks in its preferred networks list."

The update fixes a long-standing design flaw -- okay, I'd call it a bug even though Microsoft obviously won't -- in Windows XP that lets a PC automatically scan for wireless networks when it boots or powers up from hibernation. Windows' Wi-Fi client goes through a list of previously-connected-to networks, looking for one to jack into. The feature (bug) may be convenient -- you don't have to lift your lazy finger to click to connect -- but it's also dangerous.

"Advertising the name of your preferred networks creates the potential for a man-in-the-middle attack," wrote F-Secure in a blogged warning today.

That means someone at Starbucks or other public wireless hotspot could sniff for this broadcast traffic, learn the name of your previously-connected networks, then make your laptop connect directly to his notebook, which is posing as an access point.

A slacker hacker could do less and still nab you: all he has to do is configure his PC as an access point and label it with a common default network name, like "linksys" or "netgear."

My question isn't why XP's wireless was designed this way -- okay, maybe a little -- but more with why this wasn't shoved to everyone through Windows/Microsoft Update and Windows' own Automatic Updates settings.

I mean, December's patches went out two days ago; why wasn't this included with that batch?

The update didn't (and still doesn't) appear when I ran Microsoft Update on my Dell laptops. I had to download and install it manually.

So now I'm protected against this man-in-the-middle scheme. But what about you? And the rest of the Windows wireless world?

I have a call into Microsoft asking them why this isn't considered a security update. (In the past, the explanations they've given me as to why something does, or doesn't, meet the requirements to get into Automatic Updates has been hard to figure; if they do the same now, after they've used AU to blast out Internet Explorer 7, shame on them.) I'll update when I hear back.

Until then, I'd head here if I were you.

Posted by Gregg Keizer on December 14, 2006

This is a public forum. CMP Media and its affiliates are not responsible for and do not control what is posted herein. CMP Media makes no warranties or guarantees concerning any advice dispensed by its staff members or readers.

Community standards in this comment area do not permit hate language, excessive profanity, or other patently offensive language. Please be aware that all information posted to this comment area becomes the property of CMP Media LLC and may be edited and republished in print or electronic format as outlined in CMP Media's Terms of Service.

Important Note: This comment area is NOT intended for commercial messages or solicitations of business.