MS Patch Tuesday + KRACK

Pretty sneaky, Microsoft. While some vendors were scrambling to release updates to fix the KRACK Attack vulnerability released today, Microsoft, quietly snuck the fix into last week's Patch Tuesday.

While Windows users were dutifully installing October 10th's Patch Tuesday security updates, little did they know they were also installing a fix for the KRACK vulnerability that was not publicly disclosed until today. This fix was installed via a cumulative update that included over 25 other updates, but didn't provide any useful info until you visited the associated knowledge basic article.

Windows 10 October Cumulative Update
Windows 10 October Cumulative Update

Even if you were bored enough to actually click on the More info button, you would have had to be REALLY bored to even spot a reference to a vague mention of a wireless security update in the last bullet item of the knowledge base article.

Reference to Wireless Networking Security Update
Reference to Wireless Networking Security Update

A Microsoft spokesperson told BleepingComputer that "Microsoft released security updates on October 10th and customers who have Windows Update enabled and applied the security updates, are protected automatically. We updated to protect customers as soon as possible, but as a responsible industry partner, we withheld disclosure until other vendors could develop and release updates.”

While, I am not typically a fan of sneaky updates, I understand why it was necessary to fix the vulnerability while keeping information about it secret until it was officially disclosed.

Did Microsoft do the right thing quietly patching the update or is full disclosure the only way to go? I will let you decide.

As for the rest of the vendors releasing updates, BleepingComputer has been compiling a list of advisories and updates here: List of Firmware & Driver Updates for KRACK WPA2 Vulnerability.