Microsoft admits to Wi-Fi security hole

There is a Wi-Fi security vulnerability in Windows XP, but it may not be fixed for 18 months

Microsoft has admitted that there is a security flaw in the way Windows handles wireless connections, but the company has said it may not fix the problem until its next Service Pack is released.

The flaw, within a Windows feature that automatically searches for a Wi-Fi network to connect to, was made public last Saturday by security researcher Mark Loveless at hacker conference ShmooCon. It can be used by a hacker to gain access to files on a victim's laptop, Loveless claimed.

Microsoft told ZDNet UK that it had finished investigating this claim, and had found that there is scope for users to be compromised. However, it does not plan to rush out a fix.

"Due to the design of this feature, the most appropriate method for adjusting the default behaviour is in a future Service Pack or update rollup," Microsoft said in a statement.

On Tuesday, Microsoft revealed that it was not planning to release the next Service Pack for XP, called XP SP3, until the second half of 2007.

Loveless told ShmooCon that when a PC running Windows XP or Windows 2000 boots up it will automatically try to connect to a wireless network. If the computer can't set up a wireless connection, it will establish an ad hoc connection to a local address. This is assigned with an IP address and Windows associates this address with the SSID of the last wireless network the PC connected to.

The machine will then broadcast this SSID, looking to connect with other computers in the immediate area. The danger arises if an attacker listens for computers that are broadcasting in this way, and creates a network connection of their own with that same SSID. This would allow the two machines to associate together, potentially giving the attacker access to files on the victim's PC.

Security experts said on Monday that users would be unlikely to be at risk if they had installed Service Pack 2 and enabled a local firewall.

Microsoft recommended on Wednesday that customers enable a firewall, get software updates, and install antivirus software. Customers who believe they may have been affected can contact Microsoft Product Support Services via its Web site.