Internet Explorer allows infiltration of prepared proxy data
Microsoft has published in its Knowledgebase a workaround for a security vulnerability discussed at the ShmooCon hacker conference. Where Internet Explorer is configured to search automatically for a web proxy, it may be possible for an attacker to infiltrate a configuration file. Using the Web Proxy Autodiscovery Protocol (WPAD), the attacker can provide a prepared configuration file (Wpad.dat) via a server under his control, so that the browser's proxy settings then point to a proxy also controlled by the attacker. The browser will then use the attacker's computer as a proxy.
This allows, for example, an attacker to read a victim's HTTP traffic. In order to be able to supply fake data, the attacker must, however, register his WAPD server in the DNS or WINS. In contrast to the WAPD vulnerability in Internet Explorer 5 therefore, the bug cannot be exploited over the internet. The attack is restricted to the local network.
Where no WAPD entries are present in DNS and WINS or the DHCP proxy settings have not been correctly transferred, Microsoft recommends creating static entries, so that an attacker is no longer able to add their own entries.
In local area networks in particular, as well as the possibility of manipulating a proxy, there are further opportunities for spying on user data. Thus in switched networks connections can be diverted using ARP spoofing.
- How to configure Microsoft DNS and WINS to reserve WPAD registration, workaround from Microsoft