One of the advantages of the Defcon conference, where crackers show how to make software more secure by exposing how programs are vulnerable, is that vendors can learn valuable lessons. Microsoft apparently learned one, according to this report from Greg Keizer of ComputerWorld U.S.
This week Microsoft warned Windows users of possible “man-in-the-middle” attacks able to steal passwords for some wireless networks and VPNs, or virtual private networks as a result of a disclosure at the recent conference.
However, Keizer points out, the company hasn’t issued a security update.
The threat involves MS-CHAP v2 (Microsoft Challenge Handshake Authentication Protocol version 2). It’s used to authenticate users in PPTP-based (Point-to-Point Tunneling Protocol)
VPNs.
The greatest threat is spoofing a legitimate wireless hotspot, where a hacker can grab traffic out of the air. As a defence, Microsoft recommended that IT administrators add PEAP (Protected Extensible Authentication Protocol) to secure passwords for VPN sessions.