Microsoft Has Already Fixed the Wi-Fi Attack Vulnerability; Android Will Be Patched Within Weeks

Microsoft says it has already fixed the problem for customers running supported versions of Windows. From a report: "We have released a security update to address this issue," says a Microsoft spokesperson in a statement to The Verge. "Customers who apply the update, or have automatic updates enabled, will be protected. We continue to encourage customers to turn on automatic updates to help ensure they are protected." Microsoft is planning to publish details of the update later today. While it looks like Android and Linux devices are affected by the worst part of the vulnerabilities, allowing attackers to manipulate websites, Google has promised a fix for affected devices "in the coming weeks." Google's own Pixel devices will be the first to receive fixes with security patch level of November 6, 2017, but most other handsets are still well behind even the latest updates. Security researchers claim 41 percent of Android devices are vulnerable to an "exceptionally devastating" variant of the Wi-Fi attack that involves manipulating traffic, and it will take time to patch older devices.

Um, fuck off

[behrooz0az]

Either put a fucking CVE number or description of what the actual bug is in the damn title or sod off. thanks.

Re: Um, fuck off

Grow up. The article links to the previous Slashdot story from earlier today and is still on the front page. The previous article links to a research paper explaining the vulnerability. For anyone who has looked at the front page this morning or even bothered to examine the links in the summary, it's blatantly obvious which vulnerability is being discussed here. Here's hoping you're modded -1 flamebait. You deserve it.

Re:Um, fuck off

[crypticedge]

This is a high profile issue at the moment. I realize looking back at it in a few weeks may be worth that kind of comment, but there's been multiple slashdot articles on it today, and every tech news site is buzzing about it.

To fill your rage though,

The following Common Vulnerabilities and Exposures (CVE) identifiers were assigned to track which products are affected by specific instantiations of our key reinstallation attack:

CVE-2017-13077: Reinstallation of the pairwise encryption key (PTK-TK) in the 4-way handshake.
CVE-2017-13078: Reinstallation of the group key (GTK) in the 4-way handshake.
CVE-2017-13079: Reinstallation of the integrity group key (IGTK) in the 4-way handshake.
CVE-2017-13080: Reinstallation of the group key (GTK) in the group key handshake.
CVE-2017-13081: Reinstallation of the integrity group key (IGTK) in the group key handshake.
CVE-2017-13082: Accepting a retransmitted Fast BSS Transition (FT) Reassociation Request and reinstalling the pairwise encryption key (PTK-TK) while processing it.
CVE-2017-13084: Reinstallation of the STK key in the PeerKey handshake.
CVE-2017-13086: reinstallation of the Tunneled Direct-Link Setup (TDLS) PeerKey (TPK) key in the TDLS handshake.
CVE-2017-13087: reinstallation of the group key (GTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame.
CVE-2017-13088: reinstallation of the integrity group key (IGTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame.
Note that each CVE identifier represents a specific instantiation of a key reinstallation attack. This means each CVE ID describes a specific protocol vulnerability, and therefore many vendors are affected by each individual CVE ID. You can also read vulnerability note VU#228519 of CERT/CC for additional details on which products are known to be affected.

Re:Um, fuck off

Christ, does Mommy still wipe your ass for you as well.

Re: Um, fuck off

Stop being an apologist for msmash's atrocious editing. It's extremely important to know exactly which security problems are being discussed here. That's where CVE numbers come in. They take away the ambiguity.

And don't forget that the front page shows the most recent submissions first. Somebody looking at the front page will see this atrocious and confusing submission before they see the other one.

There's no excuse for a summary as bad as this one. No excuse at all!

Re: Um, fuck off

How do I patch my Nexus 5? It's running the default Android, but I don't see an update available. When will this fix be available for Nexus phones?

Re: Um, fuck off

[Archon]

3rd party firmware is your only option at this point.

Re: Um, fuck off

https://forum.xda-developers.com/google-nexus-5/orig-development/rom-cm14-1-nexus-5-hammerhead-t3510548
https://download.lineageos.org/hammerhead
https://twrp.me/devices/lgnexus5.html
https://forum.xda-developers.com/google-nexus-5/general/noob-read-adb-fastboot-how-hep-t2807273

Re: Um, fuck off

[behrooz0az]

And don't forget that the front page shows the most recent submissions first.

Thank you. This is actually what happened here.
As some of us have jobs and don't live in our mom's basements we tend to read the news after we're done and what do we get? This masterpiece of editorial work.

Re: Um, fuck off

[thegarbz]

Can't get to the link in the 8th word of the submission? How do you have a job with an attention span that short?

Or if you actually have a useful attention span, how do you have a job with time management skills so poor that you spend more time posting about not being spoon fed then clicking a link?

Re: Um, fuck off

[Brockmire]

He's not asking for a fucking link, asshole. He's asking for a proper description of the bug, specifically a CVE number. Your reading comprehension is pathetic. How the fuck do you operate without hand holding?

What devices need to be patched?

Reading the comments on the previous article, it sounds like this attack involves an attacker creating a fake AP that masquerades as the real one, then exploits message 3 of the WPA2 handshake. However, there were some comments indicating that APs might need to be patched. How would an AP be vulnerable to the attack, and why would they need to be patched? Should I expect that I'll need to upgrade my router's firmware to fix this? I'm confused because it sounds like the issue involves vulnerable clients.

Also, why would Android require weeks to patch, especially because the attack was confidentially reported to vendors two months ago? This seems like a failure of Google to adequately fix vulnerabilities.

Re:What devices need to be patched?

because the hardware manufacturers and carriers have to hold things up for reasons.

Re:What devices need to be patched?

[UnknowingFool]

The attack requires spoofing the AP. The client (your device) will certainly need to be patched. The AP's firmware might be hardened so that spoofing is less likely is mostly likely the fix.

Re: What devices need to be patched?

[p91paul]

On his website, the researcher wrote that sometimes AP can be configured to act as clients towards other APs (e.g. repeaters), in which case they are vulnerable.

Re:What devices need to be patched?

[laurencetux]

you can patch the issue on either side of the setup and this attack will fail so

P client and P router = no attack
N client and P router = no attack
P client and N router = no attack
N client and N router = PAWNED

Re:What devices need to be patched?

[Z00L00K]

N client and Evil Router = PAWNED.

Re:What devices need to be patched?

[Z00L00K]

The delay and ineptness from various vendors to not provide updates is probably what will hurt the Android environment the most in the long run.

Early days of MS-DOS had actually different computers that weren't compatible with each other when it came to hardware and each required its own version of MS-DOS. Android is in the same seat.

Re:What devices need to be patched?

Router? Huh? What do routers have to do with this?

Re:What devices need to be patched?

[rbgaynor]

I remember CP/M getting customized by the harware maker, but not MS-DOS.

Re:What devices need to be patched?

[jaa101]

Router? Huh? What do routers have to do with this?

On the off chance that you seriously don't know what's going on here: for the general public, all boxes that connect them to the internet are "routers." This is not too surprising since a high proportion of home devices do perform routing functions. The percentage of the general public that understands what a wireless access point is is very small.

Re:What devices need to be patched?

[thogard]

Before the IBM bios was clean room reverse engineered, every vendors version of MS DOS was different. Tandy and DEC were two examples.

Re: What devices need to be patched?

[Brockmire]

Don't contribute and allow improper use of router and AP terms. The OP should be shamed to prevent this kind of stupid talk.

Gee, thanks Mr. Google

That patch is gonna do so much good laying around at your release server.

Re: Gee, thanks Mr. Google

[Brockmire]

I'm certain it'll be in next month's update for my BlackBerry phone.

Wait, what?

MS just fixes a bug?? No "We're evaluating if that can be practically exploited", just "fixed, done"...?

allowing attackers to manipulate websites??

[bluelip]

A WiFi attack allows one to manipulate a website? That escalated quickly.

Oh, just /. editors' normal approval of bunk write-ups.

Re:allowing attackers to manipulate websites??

A WiFi attack allows one to manipulate a website? That escalated quickly.

Oh, just /. editors' normal approval of bunk write-ups.

It's actually possibly correct, assuming a non-HTTPS website.
Which means it's correct but not at all likely.

Re: allowing attackers to manipulate websites??

[p91paul]

Apparently, at least the linux/android variant of the attack allows the attacker to forge traffic, not only decrypt it.

Re:allowing attackers to manipulate websites??

[SethJohnson]

So long as HTTPS isn't implemented, websites could be subjected to modified content submitted by visitors. For instance, browsers visiting self-hosted Wordpress blogs could see a javascript injected into the HTML received. In the background of the session, the user's browser could be comment-spamming the site. If the user is an admin of the site, then the javascript could use the admin's credentials to create other superuser accounts in the background.

Even if the site's content submission forms are protected by captcha, the attacker could simply modify comment submission text to include links to pharmaceutical websites, etc. every time someone posts a comment to a self-hosted, non-HTTPS Wordpress blog. The same would hold true for forum posts.

Re:allowing attackers to manipulate websites??

[bluelip]

That would be "manipulate traffic to and or from a website" not "manipulate a website".

Re: allowing attackers to manipulate websites??

[bluelip]

That's not manipulating a website. That's manipulating the traffic.

Re:allowing attackers to manipulate websites??

[bluelip]

Modified traffic. Not a modified website.

Re:allowing attackers to manipulate websites??

[SethJohnson]

By modifying the traffic, the content of the website can be manipulated. In the example I gave, superuser credentials could even be generated if the administrator visits the website and her HTTP transactions are modified by an attacker.

Re:allowing attackers to manipulate websites??

[bluelip]

No. The website remains the same. The content, as seen by the user, may be altered. Large difference. If credentials are compromised, that's a separate issue.

Re:allowing attackers to manipulate websites??

[SethJohnson]

Please go back and read the examples I gave in my original post.

This vulnerability opens up the user's session to being hijacked in a way that alters the content being submitted to any non-HTTPS website. That content could be forum posts or article comments. It could mean any URL posted in a comment could be changed to point at a pharma scam website. The user's browser could receive javascript injection that starts comment-spamming (as the user) a forum or wordpress site in the background.

Packet-level manipulation works both ways-- what the browser receives as well as what the server receives.

Re:allowing attackers to manipulate websites??

[bluelip]

Your examples are marvelous. They're also irrelevant to my point. The website is not altered.

Re:allowing attackers to manipulate websites??

[mschwanke97402]

The OP wasn’t very clear but I get what he’s trying to say. Basically he’s trying to tell you an attacker is intercepting the traffic of an authorized poster to a Wordpress site, altering the poster’s submission as it is being submitted. As a result, the site content is being altered.

Re: allowing attackers to manipulate websites??

Depending on how the traffic gets manipulated it *could* manipulate the website.

Already released patch or new patch as of today?

[millertym]

The article wasn't quite clear? Made it sound like it was all, already taken care of... but didn't quite specify when that patch was released?

Access Points

Won't make a bit of difference if the access points are still vulnerable.

Re:Access Points

[dc29A]

Worse, how many millions of Android handsets will never see this patch?

Re:Access Points

If you want to include tablets along with handsets, I'm pretty sure you can count the 4 Android tablets I own that have never seen an OS patch since I purchased them, from 2.2, 4.3, 4.4 and 6.0. All abandonware the moment I walked out the store.

I'm done buying Android devices.

Re:Access Points

[93+Escort+Wagon]

Won't make a bit of difference if the access points are still vulnerable.

This seems to be more of an attack on clients (e.g. laptops, tablets, phones) rather than access points.

Interestingly, this vulnerability does not expose a network's WPA2 passphrase.

Re:Access Points

[fluffernutter]

How many of these millions of phone and handsets will actually see a successful attack? How many have anything on them worth attacking?

Re:Access Points

[sexconker]

Wrong.

If you patch a client that client is safe.
If you patch an AP all clients using that AP are safe.

Re:Access Points

[slack_justyb]

How many have anything on them worth attacking?

CPU cycles is one commodity. People tend to use the same password for multiple sites, so finding the one social network that sends it unencrypted is paydirt for someone who will take it and attempt it on other sites.

Re:Access Points

[WaffleMonster]

If you patch a client that client is safe.
If you patch an AP all clients using that AP are safe.

Wrong. There is no possible AP only patch that renders clients safe.

Re:Patch "within weeks"; Android is a joke

After those weeks it will take for google to patch it, add in several more weeks for the manufacturer and then yet more weeks for the carriers..... if they decide to do it at all.

Apple?

I bet they fix it in macOS 10.14 "Sierra Madre" and iOS 12!

Android updates suck

[DigitAl56K]

So now most Android devices are, and will continue to be, vulnerable to both BlueBourne and WPA2 KRACK, meaning that essentially they are wide open to anyone pilfering whatever they want off the device itself and as they communicate over the air. With most manufacturers abandoning updates in 3 years or sooner, and for the small pool of supported devices having very infrequent updates available, many times 3-6 months behind the curve, why do we allow this kind of chronic insecurity?

It's insane that we allow businesses to behave like this: Give everyone computing devices they use to run their lives - healthcare, credit, banking, social, BYOD work, etc. and leave them open like Swiss cheese.

Re: Android updates suck

and yet you still own at least one.

Re:Android updates suck

[DNS-and-BIND]

So, what you're telling me is that all of the affected customers will not be receiving updates, and they'll have to buy a new device?

What a tragedy. By which I mean, the refusal to provide updates will result in greatly increased sales.

Re:Android updates suck

Unlikely since most of the devices have to be given away which is why Android has a high "market share".

Those sales you predict are not profitable. At all.

They are garbage phones running an unpatched garbage version of Android. They will likely never be patched.

Re:Android updates suck

[ilsaloving]

This is one of the primary reasons I use iOS. Apple, for all their other negatives, DO support their products pretty well. I know I can expect a good 5 years of updates for my iThing.

I'm more pissed off at the entire industry as a whole, because we are literally in a situation where consumers have no choice other than to pick the vendor that pisses them off the least. There are literally NO good vendors. They either make crap products, don't support their products, use their products to steal your personal information, or some combination thereof.

As it stands, my choice is to buy Apple and bend over up front with my wallet held high, or buy Microsoft or Google and be bent over in perpetuity by Darth Vader, having my agreement altered and hoping (in vain) that the agreement won't be altered any further.

Re: Android updates suck

I own Apple devices you insensitive clod. Been getting patches for 4+ years now.

Re:Android updates suck

[gad_zuki!]

Maybe. I believe the media exploit from a year or two ago on Android was patched on phones assumed abandoned by OEMs.

Sadly, for many customers they rely on the goodwill of their OEM and telco to provide serious patches. I expect shops like Samsung, Lenovo/Moto, LG, Sony, and HTC to patch pretty much any phone sold in the past 3 years or so.

Budget buyers, no-name brands, etc are most likely going to be hacked constantly until they replace the phone. KRACK is bad but WPA-AES means they can't inject data and that's on top of TLS blocking that as well. Blueborn, on the other hand, is much more serious and could provide root remotely.

Re:Android updates suck

Well, Windows Phone would have been better from an update standpoint but everyone was too busy hating on Microsoft to give it a proper chance, so here we are.

Re:Android updates suck

[bill_mcgonigle]

No modpoints, but have a "hear, hear"!

Re:Android updates suck

[omfglearntoplay]

I have an old iPad 2 (I think) that won't accept any more updates. It'd be nice if Apple made a special update for old devices just for this, since it completely destroys security.

Re:Android updates suck

[CanadianMacFan]

But Apple won't port the fix back to previous versions of iOS for devices that can run the latest. I don't want to install iOS 11 because it doesn't offer me anything I want. It'll just slow things down until 11.1 comes out when they have had a chance to work on performance. But there's no way for me to get the security updates to 10 if I want to stay on that version. So now when the patch comes out for iOS 11 I'll have to "upgrade" to 11 just because I use my devices outside of the house.

At least Apple doesn't do the same with macOS. One can still get the security updates for the previous versions without having to update to the latest.

Re:Android updates suck

So now most Android devices are, and will continue to be, vulnerable to both BlueBourne and WPA2 KRACK

My LineageOS phone is already patched against BlueBourne.
Assuming that next week or so KRACK will be patched to.

Re:Android updates suck

  I have an old iPad 2 (I think) that won't accept any more updates. It'd be nice if Apple made a special update for old devices just for this, since it completely destroys security.
 
You never know. There was an update Apple made available for a serious security issue not that long ago that went way back down the line. My old 3GS got it.

Re:Android updates suck

[markdavis]

>"Maybe. I believe the media exploit from a year or two ago on Android was patched on phones assumed abandoned by OEMs. "Budget buyers, no-name brands, etc are most likely going to be hacked constantly until..."

What about Google's OWN DEVICES? I have a Nexus 5 which I bought in Feb 2014 when they were still very new. I haven't had a single update since Dec 2016. The phone works fine, it does what I want, but it will never be patched.

I don't expect updates forever, but mine didn't even get updates for 3 years from when I bought it. And it was a flagship AND a brand name. I haven't found a single phone I could replace it with that is Android, 5", no vendor crapware/mods, works on any carrier, has a headphone jack, 64+GB, and supports wireless charging. Still waiting. :(

Re:Android updates suck

[nasch]

If you're nerdy enough, you could get one that satisfies everything but no crapware, and put the Android build of your choice on it.

Re:Android updates suck

[markdavis]

>"If you're nerdy enough, you could get one that satisfies everything but no crapware, and put the Android build of your choice on it."

I have given it serious consideration but it seems there was always something majorly wrong- either it would break Netflix or break TiVo, or was missing the Google apps, or was too dangerous, or required a lot of maintenance, etc. And if it was a NEW device, it would void the warranty, which is just too risky on a $400-$800 device.

I suppose I will have to do SOMETHING eventually. Sigh.

Re:Android updates suck

[Solandri]

Google patched Blueborn within a day, and Samsung (as the major iPhone competitor) rolled out Blueborne fixes within about 2 weeks of it going public.

The problem is the damn carriers. They delay the manufacturer patches while they do their own "testing" and tweaking (i.e. installing software you can't uninstall), sometimes for months. Apple was able to strongarm the carriers into conceding control over software updates on iPhones. None of the Android manufacturers has enough marketing clout to do the same. And Google can't because they've released Android as Open Source. If they try to strongarm the carriers, the carrier can just blow off Google and install a custom version of Android on their phones.

What we need is to break up the vertical integration in the cell phone market. Cell tower networks, cellular service, and cellular phones should all be managed and marketed by different companies. No single company should have their fingers in more than one of those markets.

Re:Android updates suck

This is why I only buy and use Android devices that I can fully unlock and work with things like LineageOS. It's already patched.

Re:Android updates suck

[nasch]

If it's new, you will be getting updates anyway. If not, you could try stock Android. That should be pretty safe for running whatever app you want, and it will have the Google stuff. And if you don't want to put the latest OS on an older device I believe Google is good about issuing security patches, so you could go back to Lollipop or Marshmallow without giving up security. I don't know that for 100% though so don't take my word for it.

Re: Android updates suck

... this having no effect on the correctness of the original statement. LineageOS does not have high marketshare.

Re:Android updates suck

[ilsaloving]

As an end user I really don't care where the problem is. If there's a serious vulnerability, I expect it to be fixed. I don't care if it's Google, the manufacturer, the carrier, or a leprechaun. At the end of the day, if I have an Apple device that is 5 years old, I *will* get an update. If my device is older than that, I may still get an update if the issue is serious enough.

In the android world, it's a crap shoot. Hell, it was only a couple of years ago or so when the big makers (Samsung, LG, I forget who else) finally agreed that they would provide 2 years worth of updates for their hardware. My last Samsung device was prior to that agreement, and updates were virtually unheard of. I ended up being forced to root my device and install cyanogenmod just so I could have a phone that didn't suck. That was when I threw my hands up in the air and went iOS. It is unacceptable that an end user should have to root their device and install a 3rd party OS on a practically new device, just to make it work acceptably.

Re:Already released patch or new patch as of today

[crypticedge]

So Microsoft "patched" this by not properly implementing the phase 3 handshake re-transmit as it's required in spec of 802.11i from the start.

Windows rejects retransmit requests, causing the attack to fail.

What percentage of Android will be patched

[perpenso]

Android Will Be Patched Within Weeks

What percentage of Android will be patched?
The 18% with 7/Nougat or better,
the 50% with 6/Marshmallow or better,
the 78% with 5/Lollipop or better,
the 92% with 4.4/Kitkat or better?
https://developer.android.com/...

Re:What percentage of Android will be patched

[Merk42]

Android Will Be Patched Within Weeks

What percentage of Android will be patched?
The 18% with 7/Nougat or better,
the 50% with 6/Marshmallow or better,
the 78% with 5/Lollipop or better,
the 92% with 4.4/Kitkat or better?
https://developer.android.com/...

The .02% with 8/Oreo or better

Re:What percentage of Android will be patched

[KiloByte]

What percentage of Android will be patched?

Those which are rooted and have available drivers so you can recompile them yourself, plus a couple of randomly chosen models running the newest version of Android 9.53.

Re:What percentage of Android will be patched

[thegarbz]

Not sure why you're quoting version numbers instead of manufacturer support. This isn't iOS. Most security fixes are backported to earlier versions of Android. E.g. Samsung Galaxy Tab 3 which is now 5 years old had it's most recent security update applied in February this year for both devices running 4.4/Kitkat and those which were optionally upgraded to 5/Lollipop by users.

And that's to say nothing of the many security problems that are resolved in Android by simply updating some application through the play store which includes things such as security flaws in system components and drivers.

Re:What percentage of Android will be patched

... the 92% with 4.4/Kitkat or better?

Chinese branded tablets are shipping with Android 4.4, I wonder if they'll be upgraded. My Android 5 device will get its EoL update in the new year, so I should be safe.

Re:What percentage of Android will be patched

[perpenso]

Not sure why you're quoting version numbers instead of manufacturer support. This isn't iOS. Most security fixes are backported to earlier versions of Android. E.g. Samsung Galaxy Tab 3 which is now 5 years old had it's most recent security update applied in February this year for both devices running 4.4/Kitkat and those which were optionally upgraded to 5/Lollipop by users.

A Samsung branded device is no assurance of a patch. I have older Galaxy S phones that have not been offered patches in years.

Re:What percentage of Android will be patched

[markdavis]

>"Not sure why you're quoting version numbers instead of manufacturer support. This isn't iOS. Most security fixes are backported to earlier versions of Android"

Even that doesn't help much as an explanation, either. I am one of the 50% that have Android 6.0.1, but it is on a Nexus 5. Google hasn't pushed a single OS update since Dec 2016, and likely never will. So I won't matter if they push it to older versions of Android, because I still won't get it, even on Google's own device.

Re:What percentage of Android will be patched

[thegarbz]

I have a Galaxy S4, last patch was in March. I have an S5 last patch was 3 weeks ago.

Prior to that there existed no patching framework as it was only introduced in KitKat.

Re:What percentage of Android will be patched

[thegarbz]

That's not a guarantee. Google has pushed out security updates for devices past it's guaranteed security update window in the past. But all in all you're still talking about a single device. The problem is ultimately one of vendors. In the security and core OS the issue is long solved.

E.g. 2017-09-01 security update which I got on my more than 3 year old Samsung devices has been back ported all the way to KitKat, and I actually own a Tab 3 which still runs KitKat which received a security update earlier this year.

Point is it makes zero sense to gauge the likelihood of getting an upgrade based on which version of Android you're running. .... Unless you're running 4.3 in which case the answer is a resounding no since the security framework didn't exist prior to then.

Re:What percentage of Android will be patched

[markdavis]

>"The problem is ultimately one of vendors. In the security and core OS the issue is long solved."

My point in all this was the original statement about back-porting it to Android 6. Even Google won't update their own Nexus devices running Android 6 [with other bug and security fixes], so why would any other vendor? Now, I say that, but I suppose it is POSSIBLE Google might update older devices running 6... I don't think we have had a security concern of this magnitude in recent history, so I guess we just wait and see. In this particular case, it wouldn't be difficult to develop and deliver a tiny patch a single driver to devices to which they already have access.

Of course the big issue is going beyond Google's own devices, and that really is a major problem when we hit something like this.

>"But all in all you're still talking about a single device. "

Not really. I not only do I have Nexus 5 running Android 6, I have a Nexus 10 also running Android 6. :)

Re:What percentage of Android will be patched

[nasch]

You're agreeing with him. He said the issue is manufacturer support, not OS version, and that's exactly the problem you described.

Re:What percentage of Android will be patched

[markdavis]

>"You're agreeing with him. He said the issue is manufacturer support, not OS version, and that's exactly the problem you described."

Yeah, I am probably too tired to be replying right now ;)

Re:What percentage of Android will be patched

[nasch]

Pleasant dreams. :-)

Re:What percentage of Android will be patched

[fearlezz]

As I know from first hand experience (broadpwn), Samsung SGS8 will get its update in one and a half month after stock android received its patch. Samsung SGS7, SGS6 will get it in 3 months. And SGS5 (which was still for sale just a year ago) will go unpatched for so long that the few users that had one, switched to a brand new iphone.
Yup, no more samsung in my company.

Re:What percentage of Android will be patched

[thegarbz]

so why would any other vendor?

What a silly statement. Because not all vendors are the same? I just gave you an example of 2 devices which are almost twice as old running versions of Android far earlier than the Nexus. Don't put Google on some pedestal of perfection that other's can't reach or even exceed.

What google decides to push specifically to the Nexus 5 has nothing to do with what fixes they apply to Android, fixes which they patch all the way to KitKat.

Re:What percentage of Android will be patched

[perpenso]

I have a Galaxy S4, last patch was in March. I have an S5 last patch was 3 weeks ago.

Prior to that there existed no patching framework as it was only introduced in KitKat.

My S4 mini hasn't patched in years.

Re:What percentage of Android will be patched

[thegarbz]

Samsung issued security updates to the S4 mini in April this year, and before that November last year. Sounds like your shitty carrier is getting in the way.

Re:What percentage of Android will be patched

> The .02% with 8/Oreo or better

If they have payed more than $ XXX for a flagship device,
plus $ XXX premium for "unlocked" device, not bound by the whims of a telco
and only if the moon-raise is visible at a strictly defined multiple-of-pi angle as observed from the north edge of the great pyramid

Re:What percentage of Android will be patched

[perpenso]

Samsung issued security updates to the S4 mini in April this year, and before that November last year. Sounds like your shitty carrier is getting in the way.

As I said, a Samsung branded device is no assurance of a patch.

Re:What percentage of Android will be patched

[thegarbz]

As I said, not Samsung's fault, not Google's fault, and quite critically to the very core of my original post: Nothing at all to do with vendors not updating the Android version.

Re:What percentage of Android will be patched

[perpenso]

It doesn't matter whose fault it is. The fact remains, a Samsung branded device is no assurance of a patch.

Re:Windows phone already patched

[thegreatbob]

You're leaking smartquotes, bro.

Google has promised a fix for affected devices

Google has promised a fix for affected devices "in the coming weeks."

As a Nexus 5 owner, I'm not holding my breath on that being a true statement.

Re:Already released patch or new patch as of today

[Dog-Cow]

Sounds like a good fix to me. Instead of accepting retransmits, it's safer to restart the entire handshake.

Re:MS just gets stuff done.

[Hal_Porter]

This is a trolling effort worthy of the legendary posters of yore!

+5 Inciteful

Did they?

[DontBeAMoran]

I guess that explains why my Win10 box rebooted by itself two days ago.

Re:Did they?

That was just a normal monthly cumulative update that fixed a lot of other vulnerabilities that were not connected (officially by the patch notes) to this.

Re:Did they?

According to the research paper Win10, Win7 and older windows OS supporting WPA2 don't retransmit msg 3, which means it is safe against this attack. No patches required.

Re:Did they?

[antdude]

It was the normal second Tuesday of each month from MS. :)

Microsoft is finally getting it back together

I use linux all the time, for work, at home, etc... But I have to say, Microsoft is catching up: They have office365 working perfectly on Linux (I just wish they could sort out Skype, it's a mess). And now this, they're patching faster than google? There's been a ton of time for them to fix it (really, like months), and google has yet to figure out how to solve the issue. It's pretty bad. If you own an android device, there's just no way to know if you're safe or not. I understand android is open, but wait a minute: you don't just build a phone and get android and the google play, there are special requirements (read: money, money) to get the store. So somehow they can get you to sign stuff so you can have google play, but security patches? no, they just don't care. Yep. It's sad.

Re:Already released patch or new patch as of today

[DRJlaw]

"The key negotiation process needs to allow for the possibility of radio interference, so it permits the access point to re-send the message that is step three of the handshake. If an attacker sends a copy of this message, the client device will be tricked into reverting back to the original encryption key and initialization vector used at the start of the session. The client's next transmissions will have been encrypted with the same key as earlier transmissions, even though that key was only meant for a single use. That allows for a key reuse attack, which doesn't directly expose the underlying encryption key but does make it relatively easy to decrypt the data that was encrypted, especially if something is known about the structure of the messages that were both encrypted with the same key. IP packet headers, in turn, provide exactly that."

So Microsoft "patched" this by not properly implementing the phase 3 handshake re-transmit as it's required in spec of 802.11i from the start.

Yes, if the phase 3 handshake re-transmit required by the specification inherently enables a key reuse attack, then the flaw is not in the implementation, but the specification itself, and security would dictate that one refuse to enable that portion of the specification. Losing the ability to initialize a connection in a high RFI environment, which most installations attempt to avoid and mitigate, is an inconvenience. Having your traffic snooped is quite a bit more of an issue.

Some details please

[140Mandak262Jamuna]

From what I understand, the attack is on the router, forcing it to re use known keys for encryption. How do the client devices fix this issue?

Re:Some details please

By not accepting the retransmissions and restarting the handshake? That's what I got from skimming the comments on the way down here.

Re:Some details please

[guruevi]

The problem is on the client imho. Basically what you do is replay the authentication packet "as if" the packet got lost and you're just asking for the packet to be re-sent. The client will then re-send predictable data (zeros) which an attacker can thus use to decrypt the key.

It's a bit similar to the apocryphal story about hacking the Enigma, if you send "Heil Hitler" at the end of every message or weather reports, you can guess those portions of a key and by calculating back/forwards you can get a number of partial or complete messages.

Re:Some details please

The attack is just in range of the wifi. You don't need physical access to the router.

Re:Some details please

[140Mandak262Jamuna]

You dont need physical access. Just within wifi range. But still it is the router that sends back a predictable packet and allows the hacker to guess the decryption key. How can the client machine stop the router from retransmitting the key?

May be it can start a fresh handshake everytime anyone reports lost packet and requests a retransmission. Assume all retransmission requests are hostile intrusion. Not sure I get it fully even now.

Re:Some details please

[thegarbz]

By ignoring any attempt to re-transmit and restarting the entire handshake process from the beginning. Ultimately it will result in a slower connection if something doesn't go perfectly the first go but the security flaw relies on a spec feature that was designed to cope with transmission errors during the negotiation process.

Re: Some details please

The attack is against the client. The bad guy impersonates the router in a mitm attack and convinces the client to reregister its key.

Has MS patched dnsapi.dll for Win8-10?

Has MS patched dnsapi.dll for Win8-10 (local DNS cache = bad)? Win7 = unaffected (best one & why I use it) https://www.bishopfox.com/blog/2017/10/a-bug-has-no-name-multiple-heap-buffer-overflows-in-the-windows-dns-client/

* Anyone wonder WHY I use hosts files in combination w/ OpenDNS (patched vs. kaminsky redirect poisoning) vs. UNPATCHED remote DNS or unpatched ISP dns (99++% aren't patched vs. kaminsky redirect poisonings)?

Don't wonder why after reading the above...

APK

P.S.=> For more speed, security, reliability & anonymity online accept NO substitute for APK Hosts File Engine 9.0++ SR-7 32/64-bit https://www.google.com/search?hl=en&source=hp&biw=&bih=&q=%22APK+Hosts+File+Engine%22+and+%22start64%22&btnG=Google+Search&gbv=1/ ... apk

Re:Has MS patched dnsapi.dll for Win8-10?

Win7 dnsapi has a bug, try to include microsoft.com or msn.com into your hosts file. Do you wonder why you can't block all microsoft domains even with 127.0.0.1 microsoft.com included on your hosts file? The bug is inside dnsapi, so don't fool us by claiming Win7 don't have a bug in its dnsapi.dll!

Linux patches out already - well ubuntu/debian

wpa (2.1-0ubuntu1.5) trusty-security; urgency=medium

    * SECURITY UPDATE: Multiple issues in WPA protocol
        - debian/patches/2017-1/*.patch: Add patches from Debian jessie
        - CVE-2017-13077, CVE-2017-13078, CVE-2017-13079, CVE-2017-13080,
            CVE-2017-13081, CVE-2017-13082, CVE-2017-13086, CVE-2017-13087,
            CVE-2017-13088
    * SECURITY UPDATE: Denial of service issues
        - debian/patches/2016-1/*.patch: Add patches from Debian jessie
        - CVE-2016-4476
        - CVE-2016-4477

  -- Marc Deslauriers Mon, 16 Oct 2017 08:20:18 -0400

Re:MS just gets stuff done.

Compared to these, I miss the GNAA trolls from years ago

Government too...

Keep in mind that part of the reason these radios are NOT re-programmable is because of government restrictions concerned with out of band operation. One of the side effects of that is lack of documentation for ensuring the radios work correctly, or nowadays signing of the firmware so you can't reverse engineer/patch it when the problem is possible to mitigate at the device firmware level, or worse yet REQUIRES device firmware in order to mitigate.

Computer firmware needs to be user serviceable for exactly this reason. *ALL OF IT* Anything less is just expecting compromise sooner or later because the attack surfaces are so high.

Furthermore, I have little doubt this will come out as a government backed spy attack. The fact that the vulnerability exists across multiple platforms and devices implies that this wasn't just a common development mistake, much like the bluetooth issue. This was the intent of these standards, and likely of the Infineon smartcard issue as well.

What about all of the other clients?

[CanadianMacFan]

It's not just the phones, tablets and computers that need to be updated. Since it's clients that need to be patched it's everything that connects to the network. Thermostats, scales, TVs, digital photo frames, ...

Re:Already released patch or new patch as of today

There appears to have been a new nwifi.sys in the Oct 2017 rollup.

"already" is misleading and undeserved.

[smblion]

Unless the patch was deployed before the vulnerability was exposed, the word "already" shouldn't be in the headline.

Re:"already" is misleading and undeserved.

If it said "*had* already" then that could mean before the vulnerability was exposed. "Has already" simply means it happened before you read the headline.

Re:"already" is misleading and undeserved.

FYI: Microsoft patched it last Tuesday.

Re:Windows phone already patched

[Z00L00K]

What smartquotes? Those are the most stupid things that ever was invented since they screw up code examples royally.

Re:Already released patch or new patch as of today

Hopefully it doesn't just drop the IP session. That would really suck if occasional packet loss causes a forceful oplock dismount on an SMB share.

NOT SAME (read)... apk

See subject & M$ "hardcodes" in addys in tcpip.sys resolver (not dnsapi.dll, see below as to how/why) it's 4 WinUpdate (so can't be blocked): NOT SAME!

* I don't even HAVE dnsapi.dll turned on & I still cannot block windows' update servers in hosts OR firewall!

(dnsapi.dll local clientside SLOWER usermode buggy service is shut off here to save CPU & other I/O wasted on a busted piece of shit that fails w/ LARGE hosts files - which LINUX HAS NO ISSUE WITH, only MS - & also per this bug I am noting)

APK

P.S.=> A bug I caught MS in? MS SENIOR mgt. for Windows "Client Performance Division" conceded to me https://slashdot.org/comments.pl?sid=1467692&cid=30384918/ HAVE THEY FIXED IT? No. DID THEY EVEN PRODUCE A VALID ANSWER FOR IT?? NO - & I've seen some STUPID DESIGN (hearsay) that 'allegedly' says 127.0.0.1 & 0.0.0.0 aren't SAME on client workstation OS vs. server class OS (wtf? Now THAT is inconsistent design IF true!)... apk

How do you check?

[craighansen]

OK, so how do I check whether a system has been pwned via any of these CVE's before being patched? openBSD provided system updates that essentially leaked the vulnerability, and government agencies have known for at least two months, not to mention everyone that they notified. Of course, we all have complete faith in the fidelity of our beloved United States government and all commercial corporations - they've never let us down.....

Does anyone have utilities that checks all system programs and critical files via digital signatures against the versions that are supposed to be there? Bonus points if it identifies out-of-date programs and suggests updates. Let us ignore for now the possibilities that (1) the system has been pwned so cleverly that such utilities can be fooled (2) the utility installs a backdoor that pwns the system and reports false signatures, as (3) open-sourcing the utility is a basic requirement for transparency, or many independent versions could be easily written given an appropriate database...

The database of file signatures is the important part, and can be quickly developed from one or more clean installs (multiple installs to catch variable files). I'm already aware of signatures used to validate updates, but this is for validation of existing systems. Presumably a list of files not covered by the database is a starting point to complete the system validation.

A little searching turned up machinery-project.org - anyone familiar with that, or can suggest other tools?

Re:MS just gets stuff done.

So says the Microsoft shill shitposting on /.

Debian too...

[Parker+Lewis]

... and first than MS, but I think they're not paying media like TheVerge to share this.

Windows Linux

Yup. Once again we see how closed source professional development results in faster, more usable and more importantly more SECURE code than "open" source stuff made by amateurs and hobbyists.

Some Androids... LineageOS is already patched

Another reason for using this great Android distributions.

Do not cry, but vote with your pocket, and always buy and run devices supported by the community.

Not all Androids ... LineageOS is already patched

Please stop crying for fast updates and put your money where your mouth is... you could buy only smartphones with good community support.

You can take a look at the list:

https://wiki.lineageos.org/devices/

Google doin great as always.

[dramason]

"within weeks". Epic customer support.

Re: MS just gets stuff done.

[Brockmire]

I think Jared updated the pedo profile. s/cheetos/subs/.

Correct the subject

Let's be honest... Android devices will not be patched in weeks... a few in months, but 90% never.