Google kicked off the whole monthly security bulletin practice to assure Android users, or at least owners of its Nexus and Pixel devices, that they will get timely and critical security fixes before all hell breaks loose. In a rather odd turn of events, however, Google missed that window when it rolled out the November set of security patches without a fix for the KRACK vulnerability. Fortunately, that whole scare seems to have blown over on its own before Google could finally get the fix out the door today.
Some have actually downplayed the full severity of the Wi-Fi WPA2 vulnerability known as KRACK. On paper, it is indeed frightening to have your entire network activity exposed so easily, especially when Android devices have been explicitly singled out as very vulnerable. In reality, however, it requires a specific set of circumstances for it to happen, and presumes that the Android device is even on an WPA2 network. Even then, the Android device itself won’t be compromised, as it uses other encryption and security systems other than WPA2.
But a severe bug is a severe bug, and you’d think Google would immediately pounce on it. Indeed it has, if last month’s patch to the Android source code was any indication. In fact, it was expected that Google would distribute the fix in the November security bulletin, especially for its own devices. Unfortunately, the bulletin came out too early.
Due to its scheduling, the KRACK fix didn’t actually make it to the set. While that may be a bit understandable on some level, you’d also presume Google would be on top of the matter and rollout a special patch. It seems Google didn’t find KRACK to be that much of a threat enough to disturb its schedule. Better late than never, at least, as the fix to patch up that KRACK is finally available to still supported Nexus and Pixel devices. Owners OEM devices, of course, still have to wait for theirs.