by Playfuls Staff |
16th January 2006
With every passing week, with every piece of news regarding the latest flaw of the OS designed by the company from Redmond, the words “Windows” and “security” start looking more and more like antonyms.[more]
And the latest problem in this area is refers to a vulnerability in wireless laptop software, and emerged at an annual US hacker conference called ShmooCon.
As reported by the Washington Post, te two-day convention held in Washington DC aims to tap into the collective expertise of hackers and security specialists. It is attended by about 500 hackers, technology professionals and law enforcement agents.
And at this event, Mark Loveless, a senior security researcher for Vernier Threat Labs and self-confessed hacker, revealed the wireless security flaw that has the potential to affect any laptop computer running a recent version of the Microsoft Windows operating system.
Mr Loveless’ address divulged that the security researched has successfully exploited the vulnerability on airline flights to gain access to Windows machines that other passengers were using.
The vulnerability was exposed on Windows XP or Windows 2000 laptops that were unprotected by a firewall, according to Mr Loveless, and is related to the built-in wireless capabilities in the operating system, which are configured to search for any available wireless connections on start up, but when no wireless link is found then the software establishes an ad-hoc link to a local address.
This can then be exploited using a network connection on another computer that matches the name of the network that the target computer is broadcasting.
The two computers can then "associate" with one another on the same local network giving the attacker direct access to a victim's machine.
According the Washington Post, the specifications for this Windows feature -- detailed in a technical document entitled "RFC 3927," were actually written in part by a Microsoft employee -- one B. Aboba, according to the document. Strangely enough, the developers of that spec foretold of the dangers of configuring things the way Microsoft ultimately decided to do with their wireless system in Windows. This from section 5, paragraph three of the RFC:
"NOTE: There are certain kinds of local links, such as wireless LANs, that provide no physical security. Because of the existence of these links it would be very unwise for an implementer to assume that when a device is communicating only on the local link it can dispense with normal security precautions. Failure to implement appropriate security measures could expose users to considerable risks."
As always, the company from Redmond says that it’s aware of this problem, and that it will fix is in its next patch.
