Brian Krebs at The Washington Post explains:
At the ShmooCon gathering in Washington, D.C., today, old-school hacker and mischief maker Mark “Simple Nomad” Loveless released information on a staggeringly simple but very dangerous wireless security problem with a feature built into most laptop computers running any recent version of the Microsoft Windows operating system.
As Loveless pointed out, this “feature” of Windows actually behaves somewhat like a virus. Think of it this way: If you connect your Windows laptop to the wireless network at the local Starbucks, for instance, your computer will indefinitely store the name of the Starbucks network (invariably these are named “T-Mobile” for the wireless company that provides the service). Should you at a later date happen to open up your laptop in the vicinity of another Windows user who also had recently gotten online at Starbucks, those two machines may connect to each other without any obvious notification to either user.
As a sidenote, Loveless described in delicious detail for a rapt audience at ShmooCon how he used the trick on various airline flights to gain access to Windows machines that other passengers were using.
Much more by following the link, but the odd part is that the IETF spec for the Windows feature in question had a Microsoft co-author and warns against the implementation Microsoft used. The good news is that use of a firewall prevents the vulnerability and the bad news is that so many laptop users apparently don’t.