Reply to post: Re: Protected Extensible Authentication Protocol

Microsoft delivers 75-count box of patches for Valentine's Day

Michael Wojcik Silver badge

Re: Protected Extensible Authentication Protocol

Yeah, ZDI doesn't provide any support for that "it doesn’t appear this protocol is used much anymore", and not that long ago it was very common – one of the most commonly used EAP variants. Cisco used it widely, for example, and AIUI it's supported by a lot of WiFi WPA/WPA2 implementations. While in theory PEAP is superseded by more recent EAP-over-TLS variants such as EAP-TTLS, I would not blithely assume no one's using it any more.

Also, with several vulnerabilities in Microsoft's implementation, the question is not "are you using it?" but "is it an available part of your attack surface?".

Unless you're sure you're blocking it (both at the perimeter and within the network – it looks like a good hook for an attacker who's penetrated the network to pivot and escalate), I'd say you should be prioritizing those updates. Along with the other Criticals and Highs.

And, yes, MS updates have often broken things. Well, that's the price you pay.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon