• Last Updated:
  • Nov 11th, 2017 8:05 pm
Tags:
None
Deal Fanatic
Mar 6, 2005
5321 posts
574 upvotes
PuddinTame wrote:
Oct 16th, 2017 2:45 pm
Does the windows patch even matter? The impression I get is that this is mostly a router issue.
The issue is in the WiFi standard/protocol itself. By patching your client, you should be immune to the attack even if you connect to a vulnerable/unpatched router or AP.

That is why client patches are very much relevant.

It seems Microsoft actually quietly slipped it into the Oct 10 Patches (it just wasn't announced because it was ahead of the disclosure)
“Microsoft released security updates on October 10th and customers who have Windows Update enabled and applied the security updates, are protected automatically. We updated to protect customers as soon as possible, but as a responsible industry partner, we withheld disclosure until other vendors could develop and release updates.”
https://www.pcworld.com/article/3233255 ... s-pcs.html
Deal Guru
Mar 23, 2009
14109 posts
2350 upvotes
Toronto
Already fixed in the iOS and macOS betas.
Deal Addict
User avatar
Mar 31, 2017
1448 posts
432 upvotes
Faith24 wrote:
Oct 16th, 2017 1:11 pm
Google is also promising a fix for Android - which will of course be useless to most Android users because Google still hasn't managed to get their act together on putting out a standard updateable version of Android for all devices, something users should rightfully be annoyed about.
It's likely going to exclude the devices that are 2 years or older. Google has set itself apart from the industry as being unreliable for major patches.
Deal Addict
Feb 29, 2012
2662 posts
1389 upvotes
Richmond
This certainly demonstrates the problems inherent in trying to design secure systems, especially when engineers with too little experience are given the job. How many times now have we seen a security hole in a protocol when error retries or repeats are allowed? For example in car remote door locks most recently.
Deal Addict
Dec 18, 2007
1111 posts
275 upvotes
Vancouver, BC
Is the Android patch out yet? My only hope is that LineageOS will update.
Deal Fanatic
User avatar
Oct 25, 2003
9019 posts
195 upvotes
So both sides need to be patched? Router/access point and client? Or at least one?

Interesting, Ubiquiti already has a patch for their access points, will install tonight, along with wife's Thinkpad, I believe Intel has released updated drivers. And mentioned Windows has an update, is that required along with the driver update?
it's me ramin.
Deal Addict
Feb 29, 2012
2662 posts
1389 upvotes
Richmond
B0000rt wrote:
Oct 16th, 2017 6:57 pm
So both sides need to be patched? Router/access point and client?
It sounds like this takes the form of a man-in-the-middle attack, so if either side is patched to not follow the vulnerable sequence, then the attack is not possible. Unfortunately it's not sufficient to just patch a few of your devices, because if your router is not patched and you have other older devices connecting to it that will not get a patch, they remain vulnerable. What you really want to do is to patch both your router and any portable devices that you will use on other networks that might be unpatched.

List of patched firmware, devices and routers so far: http://www.zdnet.com/article/here-is-ev ... right-now/

My Netgear router is not yet patched. Confused Face
Deal Fanatic
Mar 6, 2005
5321 posts
574 upvotes
Faith24 wrote:
Oct 16th, 2017 7:24 pm
It sounds like this takes the form of a man-in-the-middle attack, so if either side is patched to not follow the vulnerable sequence, then the attack is not possible. Unfortunately it's not sufficient to just patch a few of your devices, because if your router is not patched and you have other older devices connecting to it that will not get a patch, they remain vulnerable. What you really want to do is to patch both your router and any portable devices that you will use on other networks that might be unpatched.

List of patched firmware, devices and routers so far: http://www.zdnet.com/article/here-is-ev ... right-now/

My Netgear router is not yet patched. Confused Face
Correct, as long as one side is patched you should be ok. Client patches are more important right now as you can assume most AP/Routers you connect to outside of your home will not be patched yet.

Therefore by patching your client side you will be fine even when connected to unpatched systems.

Having said that, the general public doesn't give a 2nd thought to using random public WiFi hotspots around the city Smiling Face With Open Mouth And Smiling Eyes.
Deal Fanatic
User avatar
Mar 12, 2005
7442 posts
764 upvotes
Victoria
Faith24 wrote:
Oct 16th, 2017 7:24 pm
It sounds like this takes the form of a man-in-the-middle attack, so if either side is patched to not follow the vulnerable sequence, then the attack is not possible. Unfortunately it's not sufficient to just patch a few of your devices, because if your router is not patched and you have other older devices connecting to it that will not get a patch, they remain vulnerable. What you really want to do is to patch both your router and any portable devices that you will use on other networks that might be unpatched.

List of patched firmware, devices and routers so far: http://www.zdnet.com/article/here-is-ev ... right-now/

My Netgear router is not yet patched. Confused Face
I use 3rd party firmware on my netgear... we'll have to see who gets around to patching it first. I'm also using an old phone (s5) so it most likely isn't going to see anymore updates. May laptop is old, but runs win10.. hopefully it gets one.
Deal Fanatic
Mar 6, 2005
5321 posts
574 upvotes
zod wrote:
Oct 16th, 2017 9:27 pm
I use 3rd party firmware on my netgear... we'll have to see who gets around to patching it first. I'm also using an old phone (s5) so it most likely isn't going to see anymore updates. May laptop is old, but runs win10.. hopefully it gets one.
Win 10 already got patched on Oct 10 w/ the monthly patches! MS just didn't disclose it ahead of the public disclosure (but they and other vendors were notified ahead of time to try and start patches).
Sr. Member
Aug 29, 2007
621 posts
158 upvotes
ji2o0k wrote:
Oct 16th, 2017 11:17 pm
crap, thx for the heads-up OP....

I'm using Fido's home internet modem - Hitron I think? damn, need to update our PCs at home and the router...
Has/will Fido push out an update for this? I'm hoping so but I couldn't find any info on their website.
Deal Fanatic
User avatar
Jan 27, 2004
8292 posts
764 upvotes
Some wi-fi routers can use RADIUS authentication, which is EAP protocol instead of WPA2.
2007 - Ipod Video (TD), Ipod Shuffle (GM)
2006 - Ipod Nano (TD)
2005 - Ipod Shuffle (TD)
Deal Addict
Feb 29, 2012
2662 posts
1389 upvotes
Richmond
badOne wrote:
Oct 16th, 2017 5:28 pm
It's likely going to exclude the devices that are 2 years or older. Google has set itself apart from the industry as being unreliable for major patches.
It's a little worse that that. Only current devices receiving authorized software updates from carriers or directly from Google (like Nexus or Pixel phones) will get this update. My current LG phone is only 8 months old, running Android 7, but it has a patched ROM that now crashes when attempting to install any Android update, so it's out of luck. Another Android tablet I have is about 18 months old, but does not get any manufacturer updates, so it's also out of luck.

For most Android users the only solution may be to root and patch via an app, when one is available.
Deal Addict
User avatar
Sep 10, 2005
3104 posts
492 upvotes
GTA
Don't assume only patching your access point or router will protect you. Patching APs is for fixing client modes. This is a client side attack. Each vulnerable device needs to be patched.

Top