Microsoft is the first of the major tech companies to issue an update to fix a major security flaw discovered in wi-fi enabled devices.
The discovery of the vulnerability, dubbed KRACK, the scale of which has been described as “unprecedented”, is one of the biggest security scares of all times and affects almost all devices that have wi-fi capabilities.
Microsoft says its Windows update released on October 10 included a patch that fixes the problem on devices running Windows 7, 8, 8.1 and 10.
“We have released a security update to address this issue,” a Microsoft spokesperson told The Verge.
“Customers who apply the update, or have automatic updates enabled, will be protected. We continue to encourage customers to turn on automatic updates to help ensure they are protected.”
Meanwhile, Apple and Google have said they are working on an update that protects devices from the vulnerability.
Apple says its updates have already been developed and are in the final stages of testing. The Cupertino firm said updates for iOS, MacOS and WatchOS, will be released within weeks.
However, the news isn’t so good for users running devices powered by Google’s Android operating system.
While Google has said it will release an update November 6, it could take months before Android manufacturers release their own version of the security update. Older devices or those still running old versions of Android may never be fixed.
The KRACK vulnerability was discovered by Belgian security researcher Mathy Vanhoef on Monday and exploits a flaw in the way data is secured as it travels between two devices such as a PC and a wi-fi router.
Normally when two devices are connected via wi-fi they create their own unique encryption key. This key is then used when data is transferred between the devices.
However, Mr Vanhoef found that hackers can hijack this encryption process so that the devices use an old encryption that has already been in use.
This means that a hacker within range of the wi-fi network could decipher any information sent over it such as passwords, private message and credit card or banking details.
On his website which is dedicated to the vulnerability, Mr Vanhoef warned that KRACK “works against all modern protected Wi-Fi networks”.
The software updates from Microsoft and the others due to be release by APple and Google will help to protect some users, but many millions more will still be at risk from the vulnerability.
Users have been urged to install the latest patches for the wi-fi routers.
Some vendors such as D-Link and Linksys have said they are working on a fix.
In statements released to Tom’s Guide, Linksys said:
“Belkin International (Belkin, Linksys, and Wemo) is aware of the WPA vulnerability. Our security teams are verifying details and we will advise accordingly. Also know that we are committed to putting the customer first and are planning to post instructions on our security advisory page on what customers can do to update their products, if and when required.”
“On Oct. 16, 2017, a WPA2 wireless protocol vulnerability was reported. D-Link immediately took actions to investigate the issues. This appears to be an industry-wide issue that will require firmware patches to be provided from the relevant semiconductor chipset manufacturers. D-Link has requested assistance from the chipset manufacturers. As soon as patches are received and validated from the chipset manufacturers, D-Link will post updates on its website support.dlink.com immediately. “
However, if you are using a router from your ISP, which most people probably are, there isn’t a great deal you can do other than wait for your internet provider to release a fix – and there is no telling how long that could be.
This whole episode is case in point that you need to keep your devices updated, install security updates when they are released and make sure you have auto-update enabled.
In the meantime, there are a number of things you can do to protect yourself against the KRACK vulnerability.
– Where you can, update all the wireless devices you own.
– Turn on auto update wherever possible
– Consider only using ethernet or cellular data
– Use a VPN
– Avoid unprotected or public wi-fi connections