In-Depth

In Brief

Microsoft Updates XP WiFi Security, Worm Goes Right-Wing

• By Mathew Schwartz
• 06/08/2005

Microsoft Updates WiFi Security

Microsoft released WiFi Protected Access 2 (WPA2) and an update for the Wireless Provisioning Services Information Element (WPS IE) for Windows XP Service Pack 2.

The updates allow wireless-network-adapter drives in Windows XP to now pass WPA2 capabilities through to the Windows Wireless Auto Configuration. So, thanks to the update, products that support WPA will be compatible with the IEEE 802.11i standard.

One interesting new security feature in WPA2 is pre-authentication. According to Microsoft, “in pre-authentication, a WPA2 wireless client can perform an 802.1X authentication with other wireless access points in its range when it is still connected to its current wireless access point.”

The upgrade also better reveals service set identifiers (SSIDs), which are the names of wireless networks. Previously, in Windows XP, some of these SSIDs were hidden in the “choose a wireless network” dialog box. The new functionality makes it easier to connect to new WiFi networks.

To take full advantage of WPA2, however, users must connect to a WPA2-compatible access point (AP). For that to happen, many APs will need firmware upgrades, though many vendors, including Cisco, have already begun releasing them.

The AP upgrades are necessary because of the way old APs implement SSIDs. “Some wireless access points that are available today can advertise multiple SSIDs and support multiple logical-network configurations at the same time,” notes Microsoft. “However, because of hardware limitations, the vast majority of the wireless access points that are deployed today in public WiFi hotspots only permit one SSID to be included in the broadcast Beacon and Probe Response frames.”

In other words, even when a secondary SSID exists, a user typically can't see it unless his or her PC had previously connected to it.

There are three options for fixing the problem: “the additional wireless networks must either be implemented by using an additional set of physical wireless access points, or users must manually configure their wireless clients by using the names of hidden SSIDs,” or IT managers can update the firmware on APs. Given the cost of the first option, and the difficulty users have manually entering SSIDs (using the second option), Microsoft advises implementing the third choice—new AP firmware.

Worm Goes Right-Wing

Antivirus provider Kaspersky Labs released details of the top 20 vulnerabilities for May 20. As in April 2005, the Internet worm Mytob.c continuted to dominate infection reports, accounting for a quarter of all vulnerabilities seen during May. Variants of Netsky also remained strong.

Even so, there were some interesting quirks. For example, the seventh most-common threat was a new variant of Sober, Sober.p, which laid the groundwork for the quick-to-follow Sober.q. Each variant of Sober deactivates all previous versions of Sober.

Even so, “Sober.q didn’t make it into the top 20 for the simple reason that it’s not really a worm, but more of a robot which spammed far-right [wing] political propaganda” in German, notes Kaspersky. It also comes with its own SMTP engine.

Another wrinkle in the top threats is a new worm called Eyeveg.f. Previous variants never cracked Kaspersky’s monthly top 20, but this one hit number 14 through its use of an Internet Explorer Browser Helper Object, which lets it work with IE. Once installed, the helper “functions as a keylogger, tracking exactly which keys are pressed on the keyboard of the victim machine and then sending this information to a remote, malicious user,” notes Kaspersky.

Related Articles:

Q&A: Is Microsoft’s Security Trustworthy?
http://www.esj.com/Security/article.aspx?EditorialsID=1386

Mytob Tops Virus List
http://www.esj.com/Security/article.aspx?EditorialsID=1381