Microsoft embarked on patching an 8-year-old Web proxy

Microsoft embarked on patching an existing vulnerability 8 in Windows, which "helps" hackers exploit the Web proxy's automatic configuration protocol and manage computers through a single attack. public.

This vulnerability was discovered in 1999 and experts believe it may never be officially patched.

This vulnerability affects all versions of Windows including Vista, but computers in the US are not affected. Microsoft has reported a patch for this "8-year-old" vulnerability to protect computers that use the '.com' domain name. However, this patch does not work for machines that use the same domain as the national system such as .nz (New Zealand) or .uk (United Kingdom).

WPAD is the method used by web browsers to determine the proxy configuration file - wpad.dat file - used to configure proxy settings for web browsers. The role of this error is to allow the configuration file to be removed, leaving the security of the intranet, thereby paving the way for an attacker to execute the request and open a browser configuration file, then do the job. prevent and edit user web traffic.

Windows' WPAD feature is designed so that administrators do not need to configure browser proxy settings for each individual computer manually. All are configured WPAD automatically without user tracking.

Last week, Beau Butler, who was known as Oddy and the title of "righteous hacker", presented further discoveries about the WPAD vulnerability at the annual Kiwicon conference held in New Zealand. Butler told conference attendees and Australia's The Age website that he found 160,000 computers in New Zealand using the .nz domain that encountered the WPAD vulnerability. The Age has said Microsoft has asked them not to publish details of the threat to prevent cybercriminals from using them to control workstations. Microsoft confirms that this is a serious problem.

However, some details about this error can still be found by performing a simple query on Microsoft's own Live Search search page. In addition, Microsoft also described how WPAD works on the Knowledge Base page.

In the summary at the Kiwicon conference, Oddy (Butler) also ' explained all the methods in the networks that can be configured to create a WPAD vulnerability '. According to information from the Microsoft website ' WPAD allows services to identify an active proxy server by querying a DHCP option (dynamic server configuration protocol) or by specifying a specific DNS record '

Web hosting expert Duane Wessels - who helped develop Squid, a highly enforced proxy server - had a website explaining vulnerabilities to users. ' It basically works as follows: When the browser is opened, it will issue a DNS address search for' wpad.foo.com 'with' foo.com 'being the computer's domain name. Due to Microsoft's error, some browsers will search for 'wpad.com', this is my server , 'he wrote on his website.

In fact, DNS search only happens when DHCP is not disturbed by the wpad.dat file. DNS is the next option and the search for 'wpad.com' happens as a consequence of WPAD. The DNS hierarchy will look up the address of the wpad.dat proxy configuration file. Typical WPAD can be approximated to find exactly within the company intranet, but for country-level domains the search process will be biased and it will automatically search outside the organization's network. .

Regardless of how far the search location expands, once the wpad.dat file is successfully identified, the browser will make a connection and retrieve the file to the browser configuration. If a hacker succeeds in placing his wpad.dat file into the browser configuration, the attacker can point the browser to his proxies, blocking and modifying all the browser HTTP traffic.