Microsoft confirms vulnerability in web proxy search
In an official security advisory, Microsoft has now confirmed the vulnerability in the Web Proxy Auto-Discovery (WPAD) reported recently at Kiwicon. The function can be induced to search for WPAD servers outside the defined domain in order to load a proxy configuration for Internet Explorer. For instance, an attacker might place his own WPAD server on the Internet and inject specially crafted proxy settings into user systems to redirect their Web connections onto his own proxy so he can sniff data.
The problem results from the way that Windows attempts to resolve host names if they do not contain a fully qualified domain name. In particular, the problem occurs with third-level domains, such as contoso.co.us, and related subdomains, such as corp.contoso.co.us. The WPAD protocol puts the prefix wpad in front of the domain and looks for wpad.corp.contoso.co.us. If the server does not respond, it tries to find a server under wpad.contoso.co.us. If that fails, it calls wpad.co.us, which is outside the defined domain.
But although the discoverer of the vulnerability says that hundreds of thousands of PCs in New Zealand are affected by the problem, Microsoft points out that home users generally do not have a DNS suffix configured on their system and are not members of a domain. Microsoft says that in such cases the search goes nowhere locally, so these computers are not vulnerable. While a number of service providers do use connection-specific DNS suffixes, such configurations are reportedly nonetheless not vulnerable.
Internet Explorer 5.01, 6 and 7 under Windows 2000 (SP4), XP SP2, Server 2003 SP1 and SP2 and Vista are vulnerable. Microsoft does not, however, identify whether the browser or Windows is at fault, nor does the vendor say whether there will be an update. As a workaround, Microsoft recommends distributing proxy configurations over DHCP or entering fixed settings manually. In addition, your PC will not look for a WPAD server if the "Automatic setting search" under Tools/Internet options/connections/LAN settings/ is disabled.
Back in 1999, Internet Explorer 5.01 suffered from a similar problem when it landed outside the intended domain when looking for a WPAD server. More recently, Internet Explorer 6 had trouble with WPAD in March of 2007.
- Vulnerability in Web Proxy Auto-Discovery (WPAD) Could Allow Information Disclosure, Microsoft's security advisory
(mba)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/6/7/2/comingin310_4_kicker-4977194bfb0de0d7.png)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/3/2/3/comingin310_3_kicker-151cd7b9e9660f05.png)
