Microsoft has done a good job crafting a unique mobile experience with its Windows Phone operating system, but you wouldn't know it based on the platform's current market share. Indeed, Kantar's most recent Worldpanel ComTech report puts Windows Phone at a mere 4 percent of the U.S. mobile market.
The reasons for this could be debated endlessly — many point to the platform's weaker app market compared to Android and iOS, for example — but no matter the reasons, it's clear Microsoft still has a long way to go before it can be considered a force in mobile. Unfortunately, fumbles like a recent Wi-Fi security exploit will only serve to further slow down Windows Phone's momentum.
The exploit affects both Windows Phone 7.8 and Windows Phone 8 and allows hackers to leverage a weakness in the Wi-Fi authentication process, Microsoft's own PEAP-MS-CHAPv2 (Protected Extensible Authentication Protocol with Microsoft Challenge Handshake Authentication Protocol version 2), to gain access to users' login credentials.
"In vulnerable scenarios, an attacker who successfully exploited this issue could achieve information disclosure against the targeted device," said Microsoft in a security advisory. "Microsoft is not currently aware of active attacks or of customer impact at this time. Microsoft is actively monitoring this situation to keep customers informed and to provide customer guidance as necessary."
To be fair, the situation under which an attacker could exploit this weakness requires a system posing as a known Wi-Fi access point, causing the Windows Phone to automatically authenticate with that system. This would then allow the attacker to intercept that device's credentials. In other words, it's unlikely anyone would bother to do this and can be more or less avoided by turning off automatic Wi-Fi authentication.
That said, Kevin O'Brien, an enterprise solution architect at CloudLock, told CIO Today that a similar exploit appeared in Microsoft's ASP .NET framework a few years back, so having it appear again suggests some oversight on Microsoft's part. O'Brien went on to add that this is a case of taking a good idea like encryption and implementing it badly.
Fortunately, Microsoft is now aware of the issue and a fix should be on the way shortly.
Edited by
Rachel Ramsey 
QUICK LINKS 
