p*******m
发帖数: 20761 | 1 你猪十年也补不完 哦 猪根本不care
Apple has already patched serious vulnerabilities in the WPA2 Wi-Fi standard
that protects many modern Wi-Fi networks, the company told iMore's Rene
Ritchie this morning.
The exploits have been addressed in the iOS, tvOS, watchOS, and macOS betas
that are currently available to developers and will be rolling out to
consumers soon.
A KRACK attack proof-of-concept from security researcher Mathy Vanhoef
Disclosed just this morning by researcher Mathy Vanhoef, the WPA2
vulnerabilities affect millions of routers, smartphones, PCs, and other
devices, including Apple's Macs, iPhones, and iPads.
Using a key reinstallation attack, or "KRACK," attackers can exploit
weaknesses in the WPA2 protocol to decrypt network traffic to sniff out
credit card numbers, usernames, passwords, photos, and other sensitive
information. With certain network configurations, attackers can also inject
data into the network, remotely installing malware and other malicious
software.
Because these vulnerabilities affect all devices that use WPA2, this is a
serious problem that device manufacturers need to address immediately. Apple
is often quick to fix major security exploits, so it is not a surprise that
the company has already addressed this particular issue.
Websites that use HTTPS offer an extra layer of security, but an improperly
configured site can be exploited to drop HTTPS encryption, so Vanhoef warns
that this is not a reliable protection.
Apple's iOS devices (and Windows machines) are not as vulnerable as Macs or
devices running Linux or Android because the vulnerability relies on a flaw
that allows what's supposed to be a single-use encryption key to be resent
and reused more than once, something the iOS operating system does not allow
, but there's still a partial vulnerability.
Once patched, devices running iOS, macOS, tvOS, and watchOS will not be able
to be exploited using the KRACK method even when connected to a router or
access point that is still vulnerable. Still, consumers should watch for
firmware updates for all of their devices, including routers.
Ahead of the release of the update that addresses the vulnerabilities,
customers who are concerned about attacks should avoid public Wi-Fi networks
, use Ethernet where possible, and use a VPN. | h**b
发帖数: 5635 | 2 算个屁,才发到开发者手里等小白鼠
我大微软10号就发布了 | g*****2
发帖数: 863 | | p*******m
发帖数: 20761 | 4
我大微软 怎么能和两个小渣渣比 猪渣渣将在十一月的安全补丁发布 但是但是但是 你
等贱民是没有办法享受的
我内吉尔早就安装了 啊宿舍还没出来啊
【在 h**b 的大作中提到】
: 算个屁,才发到开发者手里等小白鼠
: 我大微软10号就发布了
| p*******m
发帖数: 20761 | 5 Monday morning was not a great time to be an IT admin, with the public
release of a bug that effectively broke WPA2 wireless security.
WPA2 security flaw puts almost every Wi-Fi device at risk of hijack,
eavesdropping
WPA2 security flaw puts almost every Wi-Fi device at risk of hijack,
eavesdropping
Security experts have said the bug is a total breakdown of the WPA2 security
protocol.
Read More
As reported previously by ZDNet, the bug, dubbed "KRACK" -- which stands for
Key Reinstallation Attack -- is at heart a fundamental flaw in the way Wi-
Fi Protected Access II (WPA2) operates.
The security protocol, an upgrade from WEP, is used to protect and secure
communications between everything from our routers, mobile devices, and
Internet of Things (IoT) devices, but there is an issue in the system's four
-way handshake that permits devices with a pre-shared password to join a
network.
According to security researcher and academic Mathy Vanhoef, who discovered
the flaw, threat actors can leverage the vulnerability to decrypt traffic,
hijack connections, perform man-in-the-middle attacks, and eavesdrop on
communication sent from a WPA2-enabled device.
US-CERT has known of the bug for some months and informed vendors ahead of
the public disclosure to give them time to prepare patches and prevent the
vulnerability from being exploited in the wild -- of which there are no
current reports of this bug being harnessed by cyberattackers.
The bug is present in WPA2's cryptographic nonce and can be utilized to dupe
a connected party into reinstalling a key which is already in use. While
the nonce is meant to prevent replay attacks, in this case, attackers are
then given the opportunity to replay, decrypt, or forge packets.
In general, Windows and newer versions of iOS are unaffected, but the bug
can have a serious impact on Android 6.0 Marshmallow and newer.
The attack could also be devastating for IoT devices, as vendors often fail
to implement acceptable security standards or update systems in the supply
chain, which has already led to millions of vulnerable and unpatched IoT
devices being exposed for use by botnets.
The vulnerability does not mean the world of WPA2 has come crumbling down,
but it is up to vendors to mitigate the issues this may cause.
In total, ten CVE numbers have been preserved to describe the vulnerability
and its impact, and according to the US Department of Homeland Security (DHS
), the main affected vendors are Aruba, Cisco, Espressif Systems, Fortinet,
the FreeBSD Project, HostAP, Intel, Juniper Networks, Microchip Technology,
Red Hat, Samsung, various units of Toshiba and Ubiquiti Networks.
Who's on top of the game?
Apple: The iPhone and iPad maker confirmed to sister-site CNET that fixes
for iOS, macOS, watchOS and tvOS are in beta, and will be rolling it out in
a software update in a few weeks.
MORE SECURITY NEWS
WPA2 security flaw puts almost every Wi-Fi device at risk of hijack,
eavesdropping
Homeland Security orders federal agencies to start encrypting sites, emails
OnePlus dials back data collection after users protest
These fake tax documents spread jRAT malware
Arris: a spokesperson said the company is "committed to the security of our
devices and safeguarding the millions of subscribers who use them," and is "
evaluating" its portfolio. The company did not say when it will release any
patches.
Aruba: Aruba has been quick off the mark with a security advisory and
patches available for download for ArubaOS, Aruba Instant, Clarity Engine
and other software impacted by the bug.
AVM: This company may not be taking the issue seriously enough, as due to
its "limited attack vector," despite being aware of the issue, will not be
issuing security fixes "unless necessary."
Cisco: The company is currently investigating exactly which products are
impacted by KRACK, but says that "multiple Cisco wireless products are
affected by these vulnerabilities."
"Cisco is aware of the industry-wide vulnerabilities affecting Wi-Fi
Protected Access protocol standards," a Cisco spokesperson told ZDNet. "When
issues such as this arise, we put the security of our customers first and
ensure they have the information they need to best protect their networks.
Cisco PSIRT has issued a security advisory to provide relevant detail about
the issue, noting which Cisco products may be affected and subsequently may
require customer attention.
"Fixes are already available for select Cisco products, and we will continue
publishing additional software fixes for affected products as they become
available," the spokesperson said.
In other words, some patches are available, but others are pending the
investigation.
Espressif Systems: The Chinese vendor has begun patching its chipsets,
namely ESP-IDF and ESP8266 versions, with Arduino ESP32 next on the cards
for a fix.
Fortinet: At the time of writing there was no official advisory, but based
on Fortinet's support forum, it appears that FortiAP 5.6.1 is no longer
vulnerable to most of the CVEs linked to the attack, but the latest branch,
5.4.3, may still be impacted. Firmware updates are expected.
FreeBSD Project: A patch is actively being worked on for the base system.
Google: Google told sister-site CNET that the company is "aware of the issue
, and we will be patching any affected devices in the coming weeks."
HostAP: The Linux driver provider has issued several patches in response to
the disclosure.
Intel: Intel has released a security advisory listing updated Wi-Fi drives
and patches for affected chipsets, as well as Intel Active Management
Technology, which is used by system manufacturers.
Linux: As noted on Charged, a patch is a patch is already available and
Debian builds can patch now, while OpenBSD was fixed back in July.
Netgear: Netgear has released fixes for some router hardware. The full list
can be found here.
Microsoft: While Windows machines are generally considered safe, the Redmond
giant isn't taking any chances and has released a security fix available
through automatic updates.
MikroTik: The vendor has already released patches that fix the
vulnerabilities.
OpenBSD: Patches are now available.
Ubiquiti Networks: A new firmware release, version 3.9.3.7537, protects
users against the attack.
Wi-Fi Alliance: The group is offering a tool to detect KRACK for members and
requires testing for the bug for new members.
Wi-Fi Standard: A fix is available for vendors but not directly for end
users.
WatchGuard: Patches for Fireware OS, WatchGuard legacy and current APs, and
for WatchGuard Wi-Fi Cloud have become available.
Apple: Apple has patched the issue in iOS, tvOS, watchOS, macOS betas with
fixes due to roll out to consumers soon.
At the time of writing, neither Toshiba and Samsung responded to our
requests for comment. If that changes, we will update the story. | k***e
发帖数: 7933 | 6 我的是tmobile的ac1900, Merlin 380_64_0, 现在有更新了吗? | p*******m
发帖数: 20761 | 7
没有 我正在等更新
【在 k***e 的大作中提到】
: 我的是tmobile的ac1900, Merlin 380_64_0, 现在有更新了吗?
| J*******1
发帖数: 218 | 8 如果router没补,光是手机电脑补了有用吗?谁说说? |
|
