December 3rd, 2007
Microsoft confirms man-in-the-middle WPAD vulnerability
Following the public release of a serious flaw in the way Windows resolves hostnames that do not include a fully-qualified domain name (FQDN), Microsoft has issued a security advisory to acknowledge the issue and offer pre-patch workarounds.
Redmond’s advisory comes more than two weeks after hacker Beau Butler discussed the issue at the Kiwicon 2007 event in New Zealand.
From Microsoft’s advisory:
A malicious user could host a WPAD server, potentially establishing it as a proxy server to conduct man-in-the-middle attacks against customers whose domains are registered as a subdomain to a second-level domain (SLD). For customers with a primary DNS suffix configured, the DNS resolver in Windows will attempt to resolve an unqualified “wpad” hostname using each sub-domain in the DNS suffix until a second-level domain is reached. For example, if the DNS suffix is corp.contoso.co.us and an attempt is made to resolve an unqualified hostname of wpad, the DNS resolver will try wpad.corp.contoso.co.us. If that is not found, it will try, via DNS devolution, to resolve wpad.contoso.co.us. If that is not found, it will try to resolve wpad.co.us, which is outside of the contoso.co.us domain.
The issue affects Windows 2000, Windows XP, Windows Server 2003 and Windows Vista users. It also relates to all versions of Internet Explorer, including IE 7 for Windows Vista.
During his Kiwicon 2007 talk, Butler described WPAD as a “still-active-after-all-these-years design misfeature” that was fixed for the .com domain but left vulnerable for sub-domains and other hostnames.
Microsoft’s advisory contains several recommended workarounds and mitigation guidance.
The next batch of patches from Microsoft is scheduled for December 11, 2007.
Ryan Naraine is a journalist and security evangelist at Kaspersky Lab. He manages Threatpost.com, a security news portal. Here is Ryan's full profile and disclosure of his industry affiliations.
For daily updates on Ryan's activities, follow him on Twitter.
Subscribe to Zero Day via Email alerts or RSS.
