[swsieber]

Perhaps the auto-connect feature is what makes "connecting to a malicious network [not] necessary." It's easy to dismiss that second clause, but my guess is that it does some sort of network ping that opens itself up to the attack.

[jwfxpr]

From what I can gather from a quick look at the 802.11e QoS spec* this is pretty much spot on. Many wireless clients (e.g. many phones) ping in order to discover networks faster than the access point's broadcast interval and to connect to 'hidden' APs that might not broadcast. In response, a malformed WME packet could be sent that the wireless chipset would listen to and parse.

*I am definitely not deeply familiar with WME.