The attack relies on the attacker being able to set up a system under his own control that would appear to the phone to be the access point for a requested network resource. The phone would then automatically attempt to authenticate with the access point, allowing the attacker to obtain the encrypted resource credentials.
"An attacker could then exploit cryptographic weaknesses in the PEAP-MS-CHAPv2 protocol to obtain the victim's domain credentials", warns Microsoft in a security advisory issued Sunday. "Those credentials could then be re-used to authenticate the attacker to network resources, and the attacker could take any action that the user could take on that network resource."
Microsoft is not aware of any instances of this vulnerability currently being used, nor of any impact on customers. Nevertheless, it says it is "actively monitoring this situation to keep customers informed and to provide customer guidance as necessary."
But Microsoft also says it will not issue a security update for the vulnerability (which affects Windows Phone 8 and Windows Phone 7.8). "This is not a security vulnerability that requires Microsoft to issue a security update. This issue is due to known cryptographic weaknesses in the PEAP-MS-CHAPv2 protocol and is addressed through implementing configuration changes on the wireless access points and on Windows Phone 8 devices." It is effectively up to the user to take the necessary action.
That action is effectively two steps. Firstly, if it doesn't already do so, the network resource must be persuaded to provide a certificate. Then the user must configure the phone to require certificate validation to prove the authenticity of the access point. "Only after validating the certificate is user name and password information sent to the authentication server, so the phone can connect to the Wi-Fi network," explains the Microsoft advisory.