Ask Paul: June 21 (Premium)

Happy Friday! And welcome to the Copilot+ PC angst edition of Ask Paul, which is, of course, understandable. I feel your pain, and I definitely feel your uncertainty.
Wi-Fi woes
wright_is asks:

With the massive Wi-Fi security issue patched in Windows this month, most of the industry has ben quiet on it, as they all too focused on the AI features and the Recall debacle, that a real, serious issue slipped under the radar? Effectively, an attacker within Wi-Fi range can get full access to a PC, bypassing the firewall and it doesn't even need the user to be logged onto the PC or active, they get full admin access to the device.

I've seen many stories about it, but we didn't write about it here because it's been sort of a non-event. As is so often the case, I'm not a fan of the types of headlines I've seen for this story–Update Your Windows PC Now to Avoid This Terrifying Wi-Fi Vulnerability, New Wi-Fi Takeover Attack—All Windows Users Warned To Update Now, etc.–because most of the people who read those were already up-to-date and patched. But, yes, the vulnerability is real, and serious, and it impacts a wide range of recent Windows versions, supported and not. Here's the Microsoft Security Response Center notification for anyone interested.

(And not to be an ass about it, but related to my complaints about the way that some security researchers used Recall as a moment for self-promotion rather than responsibly reporting whatever issues they found to Microsoft directly, Microsoft in this case "recognizes the efforts of those in the security community who help us protect customers through coordinated vulnerability disclosure" and then names names. You know, in case you want to know what being responsible looks like: Unlike Recall, this was a real issue that would have impacted many millions of people had security researchers and Microsoft not done the right thing. Moving on.)

In case it's not obvious, Microsoft patched this vulnerability 10 days ago on Patch Tuesday, and looking just at Windows 11, that fix arrived as part of KB5039212. It's a mandatory update, etc. And that means that most of the user base was probably patched by the time the vulnerability was publicized. Which, again, is how responsible security works. I suspect most users are simply protected.

Anyway, if you use Windows and don't screw around with the Windows Update settings, you're good. If you're not, dear God, check for updates and reboot as prompted.

As for Microsoft's public posture on this, I think they handled this one correctly, unlike the corporate hack, which is an ongoing scandal handled irresponsibly, and the Recall drama, which was nonsense. In those cases, Microsoft miscommunicated the situation, but here, it did the right thing: Patch it, deploy the fix, describe the problem in a Knowledge Base article, and not draw any unnecessary attention to it.

All that said, I'm sure I wouldn't have to look too hard to find someone on Twitter ...