Skip to main content

Microsoft says it already patched KRACK WPA2 Wi-Fi vulnerability

Researchers recently disclosed a major vulnerability in the Wi-Fi Protected Access II (WPA2) protocol that most of us use to secure out Wi-Fi networks. "The impact of exploiting these vulnerabilities includes decryption, packet replay, TCP connection hijacking, HTTP content injection, and others," the United States Computer Emergency Readiness Team (US-CERT) has revealed. Fortunately, tech companies are starting to respond to the exploit's disclosure, and Microsoft says that it has already issued a fix.

In a statement to The Verge, Microsoft says that anyone who applies the update, or has Windows Update set to apply automatic updates, should be protected. From Microsoft:

We have released a security update to address this issue. Customers who apply the update, or have automatic updates enabled, will be protected. We continue to encourage customers to turn on automatic updates to help ensure they are protected.

Microsoft will publish details of the update later today, according to The Verge.

While that's good news for your Windows machine, the exploit also impacts Android, iOS, macOS, and Linux (though Linux has been patched). If you use any devices running those operating systems — and most of us do — then you'll want to make sure you're doing everything you can to protect yourself until the vulnerability is patched. For more, check out our tips on how to protect yourself from the KRACK WPA2 hack. In the meantime, if you don't have automatic updates turned on for your Windows machine, it would be wise to manually check for updates.

Updated October 16, 2017: A Microsoft spokesperson said in a statement to Windows Central that the patch was originally released as part of the company's regular Patch Tuesday updates on October 10. From Microsoft:

Microsoft released security updates on October 10th and customers who have Windows Update enabled and applied the security updates, are protected automatically. We updated to protect customers as soon as possible, but as a responsible industry partner, we withheld disclosure until other vendors could develop and release updates.

Dan Thorp-Lancaster is the Editor in Chief for Windows Central. He began working with Windows Central as a news writer in 2014 and is obsessed with tech of all sorts. You can follow Dan on Twitter @DthorpL and Instagram @heyitsdtl. Got a hot tip? Send it to daniel.thorp-lancaster@futurenet.com.

26 Comments
  • Microsoft is fast on this one. cool! It's good to see windows begin to be a secure OS.
    P.S for those who think Microsoft sell data to Govt. should know the fact that everybody does Google and Facebook are leader in this department.
  • Windows has been proven to be the most secure OS. That's what happens when you're constantly under attack. You have to have a strong defense that continues to get stronger.
  • Point made.
  • However, there're another problems popping up, which is when I look at the detailed page of the update, Microsoft says that "After installing KB4041681, package users may see an error dialog that indicates that an application exception has occurred when closing some applications..." and I mean, really? Can they just make an update easier for the ones who are not so tech-savvy? And I think that MacOS updates works a lot better than the Windows Update in Windows 7 in terms of user-friendliness. I don't want to update this because of an issue but then create another issue. Can anyone tell me what those are????
  • That's good to know, but what is the update that patches the vulnerability? When was it released? I have automatic updates turned on, but I'd like to see if my devices got the fix or if I'm still waiting.
  • They'll release a statement later today. I'm guessing it was patched during Patch Tuesday, as they got notified before the vulnerability was made public.
  • They probably didn't publish the fix in a note since the issue wasn't widely known. Why give hackers info they don't need. Now that everyone knows about they need to publish the KB number so we can make sure we're patched.
  • I'm trying to find out, too. None of the security researchers involved in the project or any prominent researchers at other institutions can seem to find it, nor do they have one available to install.
  • I like to know the KB number too...If not revealed today, I will be suspicious...
  • You can hit this page: https://portal.msrc.microsoft.com/en-US/security-guidance and select patches released today. There's one for pretty much every version of Windows, and a variety of KB article numbers. Here's a more direct link that won't work first time... accept the conditions and then come back and use this link again: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2...
  • Hello, I read this post from you yesterday morning when I was trying to determine what the vulnerabilities of my home network are to the recent WPA2 encryption hack. I followed your link to the various KB releases and determined that I'm running the latest Windows-10 OS patch, so my PC should be secure. I also did some research on the type of  WiFi extender I'm using,  I wanted to ask you a question if you don't mind?  I have setup both of my WiFi systems, the Main & the Extender now so that they are whitelisted. Only machines that I have entered the MAC address for can connect to either of the networks. Would that be a good protection against the WPA2 vulnerability? I also considered configuring the WiFi systems to not broadcast the SSID's, but am not a networking expert, so don't want to start tinkering and end up locked out of my own system.  Thanks,               Steve
  • Very good questions. The vulnerability has to be patched on at least one end of the connection. That said, at home, patching either the access point / router or all the clients (phones, laptops, Xbox, etc.) would suffice. But for outside the home, it's really important that your clients are patched, since there will be unpatched access points everywhere you go for many years to come. That out of the way, for Wi-Fi security in general, having the SSID not being broadcast is mostly a "security by obscurity" measure that mostly stops random non-hostile strangers from connecting. Anyone with more hostile intent, i.e. looking to exploit your Wi-Fi network, doesn't need the SSID to be broadcast, since you will have clients already connecting, thereby constantly announcing the SSID themselves. Using MAC filtering is quite effective at preventing unknown devices connecting, but again, there are ways to work around this quite easily too. And then there's the inconvenience of not being able to easily allow friends to connect to your Wi-Fi when visiting. But if you have separate private and guest networks, MAC filtering on your private network is definitely worth doing (and not broadcasting the SSID of the private one), even if it's not going to protect from non-savvy intruders. Otherwise, your best bet is to use the best encryption available, and keep your systems (routers, access points, cable boxes, toasters, and fridges included) fully patched.
  • Pretty cool! Didn't see that coming. Good job! :)
  • nice
  • So if I have patched windows PC is it secure now even if router wasn't patched yet?
    And is W10M already patched or will it see patch in near future?
  • the attack target the clients connected to wifi. so routers dont need to be patched for now.
  • I see no reference in the latest update 
  • https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2...
  • When do routers get regular security updates. My bet is many won't get an update. Edgerouter only. 
  • Really the consumer routers are unlikely to get patches/firmware to resolve this unless they are of the newest models. I would imagine Tomato and DD-WRT will jump on getting this fixed. It's the commercial routers/access points that will get these fixed (if not already) like Ubiquiti, Cisco, Fortinet, and such. Actually I think WC is keeping a list of the manufacturers.
  • I notice Linksys routers aren't on the list. Are they not affected?
  • Received KB4043961 this morning, I wonder if this is it...
  • My understanding is that the patch is part of: "2017-10 Cumulative Update for Windows 10 Version 1703 for x64-based Systems (KB4041676)". Routers only need patching if used in "Access Point" mode, as the issue is mainly on the client side WiFi.
  • My understanding is that the patch is part of: "2017-10 Cumulative Update for Windows 10 Version 1703 for x64-based Systems (KB4041676)". Routers only need patching if used in "Access Point" mode, as the issue is mainly on the client side WiFi.
  • Routers in routing mode are also vulnerable unless they have truely implemented the WPA2 security protocol on their devices.
  • They released it on Oct 10 as part of patch Tuesday.