Info for SysAdmins/Infosec Managers on WPAD
A new Microsoft Advisory gives further details of the WPAD (Windows Proxy AutoDiscovery) vulnerability recently disclosed at Kiwicon, New Zealand's first hacker conference.
The vulnerability relates to the way that Windows systems set to autoconfigure their web proxy settings go looking for the configuration file. If they don't find one on the local network, they go up the DNS tree and, under some ciscumstances, end up looking for a host called wpad.co.nz or wpad.co.uk or whatever. If some enterprising haxor has registered one of these domains, they have the ability to create and offer malicious proxy configuration files, and can subsequently control the way vulnerable machines access the Web.
Microsoft offers workarounds pending a proper fix of the wpad logic. Turning off wpad is one solution, though I'm not sure whether this can be configured for all machines in a domain using Group Policy, so it may require each machine to be configured. Similarly, there's a registry hack that needs to be applied on every machine. Another fix is to create a wpad server and offer a legitimate proxy config file ... but make sure it is a high-availability machine since a denial-of-service attack on it would presumably reopen Pandora's box.
Good luck!
The vulnerability relates to the way that Windows systems set to autoconfigure their web proxy settings go looking for the configuration file. If they don't find one on the local network, they go up the DNS tree and, under some ciscumstances, end up looking for a host called wpad.co.nz or wpad.co.uk or whatever. If some enterprising haxor has registered one of these domains, they have the ability to create and offer malicious proxy configuration files, and can subsequently control the way vulnerable machines access the Web.
Microsoft offers workarounds pending a proper fix of the wpad logic. Turning off wpad is one solution, though I'm not sure whether this can be configured for all machines in a domain using Group Policy, so it may require each machine to be configured. Similarly, there's a registry hack that needs to be applied on every machine. Another fix is to create a wpad server and offer a legitimate proxy config file ... but make sure it is a high-availability machine since a denial-of-service attack on it would presumably reopen Pandora's box.
Good luck!