A design flaw in Windows XP and Windows 2003 systems with built-in wireless capabilities could be exploited by hackers to lure Wi-Fi users into connecting to malicious wireless networks, according to Microsoft, which recently completed an investigation of the issue.
Questions about the flaw were raised last week at a security conference by Mark Loveless, a senior researcher at Vernier Networks.
In a document posted on the Nomad Mobile Research Centre website, Loveless described the issue as an "anomaly" involving Microsoft's Wireless Network Connection. "If a laptop connects to an ad hoc network, it can later start beaconing the ad hoc network's SSID [service set identifier] as its own ad hoc network without the laptop owner's knowledge," Loveless said in his advisory. "This can allow an attacker to attach to the laptop as a prelude to further attack."
Such a situation could arise, for example, when a laptop user with a wireless setup at home uses the laptop somewhere else, Loveless said in an interview with Computerworld. When started, the laptop automatically scans for networks with the same SSID as the one used at home. If it can't find that network, it connects to any ad hoc wireless network in the vicinity.
The next time the laptop is started, it can start broadcasting the ad hoc network's SSID as its own ad hoc network. Attackers could look for and associate themselves with systems broadcasting in this manner, he said.
"This is basically a configuration error that spreads virus-like from laptop to laptop," Loveless noted in the advisory. He added that in field tests, numerous ad hoc SSIDs such as 'linksys', 'dlink', 'tmobile' and 'hpsetup' were documented as being broadcast in this way.
But users who configure their systems so that they don't connect to ad hoc networks and those who use firewalls and properly patched systems should be safe from the threat, he said.
"There are a couple of conditions that need to be met before [the threat could be exploited]," Loveless said. "But it appears to me those conditions have been met in a lot of machines [based on field tests]," he said.
In a statement, Microsoft said that its investigation of the flaw has "determined that customers who have connected to an 'ad hoc' wireless network in the past that was not protected with wireless encryption could be lured into connecting to a malicious advertised 'ad hoc' wireless network under limited circumstances".
But those using firewalls and a fully updated system should be at "reduced risk" of attacks following such ad hoc connections, Microsoft said, adding that it's also possible to prevent such malicious connections by configuring systems to connect only to 'infrastructure' networks.
The company plans to release an update fixing the default configuration in a future service pack or security update.
For more information on wireless networks, our sister site Techworld has a comprehensive wireless network resource page.