Microsoft releases statement on KRACK Wi-Fi vulnerability

Microsoft logo (Image credit: Windows Central)

A major new vulnerability in the Wi-Fi Protected Access II (WPA2) protocol was recently disclosed by researchers, potentially impacting all Wi-Fi connected devices. Microsoft already revealed that it has patched the issue, but now it has provided a bit more context.

In a statement to Windows Central, a Microsoft spokesperson said the company released the security fix on October 10 as part of its regular Patch Tuesday updates. From Microsoft:

Microsoft released security updates on October 10th and customers who have Windows Update enabled and applied the security updates, are protected automatically. We updated to protect customers as soon as possible, but as a responsible industry partner, we withheld disclosure until other vendors could develop and release updates.

That's good news for Windows machines, but the exploit is wide-ranging and impacts Android, iOS, macOS and Linux devices as well (though Linux has been patched). If you're using any other devices, you'll want to make sure you're doing everything you can to mitigate the impact until all of your devices are patched. If you have automatic updates enabled on your Windows machines, you should be covered. If you haven't yet installed the latest round of security updates, you'll want to manually check via Windows Update now.

Dan Thorp-Lancaster is the former Editor-in-Chief of Windows Central. He began working with Windows Central, Android Central, and iMore as a news writer in 2014 and is obsessed with tech of all sorts. You can follow Dan on Twitter @DthorpL and Instagram @heyitsdtl.

26 Comments

Good job MS!
"...but as a responsible industry partner, we withheld disclosure until other vendors could develop and release updates." - L00king at you Google.
You will be looking at them for a long time. In the past Google has let relatively recent versions of Android go without security patches, leaving huge numbers of people at risk. For example, in January 2015 it was discovered that there was a bad web browser security hole in Android 4.3. Android 4.3 was released in July of 2013, was installed on about 60% of Android phones, and the version of Android current at that time was 5.0 with only 4.4 in between. So Google will not fix a buig in a 1.5 year old OS, the version previous to the version current at that time. But then they will turn around and complain about Microsoft not fixing bugs in a 15 year old operating system. Google doesn't care about security of their own products, they only care about taking cheap shots at their competition. When my WP dies and something new has not shown up, I will be going to the i company, and nowhere near anything Google.
I think he meant more about how Google discloses vulnerabilities before they can be patched, rather than their patching history.
Yes. That was my read on that particular part of Microsoft's statement.
do you have the actual KB# so we can check?
And how to check phone 10 has it (yes still have one for a while, as do my parents which is the bigger concern 😆)
If you are on the regular release channel for the Creators Update, KB4041676 for version 1703 should have included these fixes. This is a deduction, not something that Microsoft has explicitly stated. If you are on release preview for the Fall Creators Update, KB4043961 for version 1709 should have included these fixes. This is a deduction, not something that Microsoft has explicity stated.
So far I've only found this : https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2... Looks like the usual OS's - Windows 10 all the way down to 7 (no Vista / XP of course) + Server OS's as well, still in support. No Windows Phone listed. :( Yes, I still use one.
Yeah, they dropped support for Windows Phone 8 way back.
How about the Windows 10 Mobile Phones?
It appears that was covered in October 10th KB4041676, part of which 15063.674 build for PC and mobile...however no mention of krack in the description of fixes!
That's because they said didn't disclose it.
Then how come they disclosed it for build 16299.19 which was issued October 13th!
"Fixed windows wireless networking"
Most of my devices are connected via lan, this computer is connected using home plugs, via Ethernet
Both my Windows 10 and Windows 7 machines received a patch after October 10th so I'm glad Microsoft addressed this issue very fast. My only concern is my Android device and my wife's since we're using Android 5.1 and 5.0 and cannot upgrade to 6.0
This is one of those rare situations where being on an older Android version might be better (for now). Android 6.0+ is affected by the more serious vulnerability (there are several CVE's). I believe Android 5 and below would be similar to iOS or Windows...affected but not as serious as Android6+ / Linux. Bigger long-term issue is that we may never see a fix for Android 5.x - my wife is still on 4.4.2 and this might be the final nail in the coffin for her old phone.
Thought this primarily affected routers giving physical location hackers access to your network? Why does patching end units help that?
because end clients tend to roam around and connect to different hotspots.
This can also affect wireless access points and routers. They may need to be updated also.
So no Windows 10 mobile patch then?
As much complaining as I do about microsoft, I do enjoy their security. I mean, this was patched before the news really broke. All the others still don't have anything for it as far as I read yesterday.
Great job MS, unlike Google will not give other developer time to react before they annouch to public, that's *******.
I think at least two or three of us would like reportage specifically on whether Windows 10 mobile also received the patch. I still have a Windows phone. I use it for phone calls and texting and scheduling appointments and constantly reloading webpages (Edge is the only mobile browser that turns reading an article into a game!)
Is windows 10 mobile 15063.674 patched for wifi?

Show more comments

Windows Central Newsletter