Microsoft
How should we fix a poorly implemented security feature? Add another feature on top and hope it works of course.
Microsoft has warned IT departments to batten down their Wi-Fi networks following the discovery of a security vulnerability in Windows Phones that leaks users' passwords. Miscreants who set up rogue hotspots can grab from devices employees' encrypted domain credentials, needed to authenticate with corporate systems and access …
The issue is with the PEAP-MS-CHAPv2 protocol - not any hole in windows Phone OS itself - which remains uncracked - unlike BB10 / Android / IOS.
The certificate validation feature to fix this already exists in the OS and isn't being added - it's now a requirement for secure access rather than previously just recommended....
"See what you mean, but the protocol is behaving as designed. e.g. This isn't a buffer overflow or similar type coding error....This is more a case of technology has moved on and the protocol is now too weak to use without specific mitigating controls in place..."
When was Windows 8 released again?
"My my the AC turfers/fanbois sure were all over this quick. Something tells me the only reason WP is "uncracked" is the market share."
Not at all. Microsoft's shitty security remains my bread and butter securing it.
That said, I recall another non-bug, one that Microsoft threatened legal action against anyone who claimed it existed.
Until they couldn't keep their own servers up for more than 15 seconds, the ping of death.
Still, I'd rather teach a user how to navigate a DOS tree than deal with CP/M with end users.
"The certificate validation feature to fix this already exists in the OS and isn't being added - it's now a requirement for secure access rather than previously just recommended...."
As if a man in the middle attack, as is what is currently being done, can't be enhanced to validate a certificate from the corporate server.
Nope, that is impossible.
As impossible as walking on the moon, but less technologically challenging.