Microsoft today issued an emergency Windows security update to patch vulnerabilities in the Wi-Fi Protected Access II (WPA2) protocol used to secure wireless networks.
Details of the security update were published to Microsoft's Security Update Guide, the catalog-like portal that earlier this year replaced the decades-old practice of delivering explanatory bulletins.
All supported versions of Windows will receive the update, according to the catalog listing, including Windows 7, Windows 8.1, Windows 10, Windows Server 2008, Windows Server 2012 and Windows Server 2016.
The vulnerabilities were revealed by Mathy Vanhoef, a researcher at Katholieke Universiteit Leuven in Belgium. On a website that went live Monday, Vanhoef said that weaknesses in WPA2 allow criminals to read information transmitted over a Wi-Fi network thought to be encrypted by the protocol.
"Attackers can use this novel attack technique to read information that was previously assumed to be safely encrypted," Vanhoef wrote on the website. "This can be abused to steal sensitive information such as credit card numbers, passwords, chat messages, emails, photos, and so on."
Vanhoef dubbed the attack "Krack," for "Key Reinstallation Attacks."
Although Microsoft released its October slate of security updates last Tuesday, it held today's patches because news of Krack was scheduled to be issued this morning by Vanhoef, numerous security organizations and multiple vendors. "In partnership with the International Consortium for Advancement of Cybersecurity on the Internet (ICASI), Microsoft participated in a multi-vendor coordinated disclosure to acknowledge and describe several Wi-Fi Protected Access (WPA) vulnerabilities," Microsoft said in its update description.
The Windows security update patches the client and server flavors of Microsoft's OS, but even then, users may be at risk, the company warned. "When affected Windows-based systems enter a connected standby mode in low-power situations, the vulnerable functionality may be offloaded to installed Wi-Fi hardware," Microsoft said. "To fully address potential vulnerabilities, you are also encouraged to contact your Wi-Fi hardware vendor to obtain updated device drivers."
Windows PCs with Automatic Updates enabled will probably receive the patches later today, most likely overnight. Managed devices must receive the green light from IT personnel.
Vanhoef and Frank Piessens, another security researcher at Katholieke Universiteit Leuven, will present a paper on Krack Nov. 1 at a conference in Dallas, Texas. The paper can be found here.