26 November 2007, 16:49

Rumour of new hole in Windows

At the Kiwicon security conference in New Zealand, a hacker has reported the discovery of a vulnerability in Windows that may allow attackers to sniff on or gain control of a large number of Windows PCs. The vulnerability is apparently a reincarnation of an old one: the Windows Proxy Autodiscovery (WPAD) that Internet Explorer 6/7 uses to automatically find a web proxy on the web and enter it in its configuration. If attackers manage to convince an Internet Explorer installation to surf via its manipulated proxy by means of its own WPAD server, the attacker would be able to sniff the HTTP traffic. Furthermore, encrypted SSL connections could also be sniffed via a man-in-the-middle attack when users thoughtlessly click away the error message that pops up in their browser. However, attackers would generally already have to have broken into a LAN for this attack to succeed.

According to reports in the New Zealand media, the hacker who discovered the problem says that the attack also works from the Internet in this case. Microsoft has apparently already been informed of the problem and is working intensively on a solution. No further information is currently available, nor is it clear whether this vulnerability is new or simply a variation of the vulnerability made public in March. Back then, Microsoft did not release an update to remedy the problem, but merely published a workaround. If DNS and WINS did not have any WPAD entries or the proxy settings had not been properly transferred via DHCP, Microsoft recommended that users create static entries so that attackers could no longer add any more entries. Back in 1999, Microsoft had its first WPAD problem with Internet Explorer 5. In cases of doubt, users can disable the option "Automatically detect settings" under Tools/Internet options/Connections/LAN settings in Internet Explorer.