Microsoft Acknowledges Security Flaw in Windows

Published: December 5, 2007

by Alex Woodie

Microsoft issued a security advisory Monday acknowledging the existence of a security flaw in all recent versions of Windows that could allow direct Web browser's to malicious Web sites. The flaw, which is similar to another flaw Microsoft patched way back in 1999, was tracked down by the software giant following its public disclosure by a New Zealand researcher at a recent security conference.

According to Microsoft, a problem in the Web Proxy Auto-Discovery (WPAD) feature in Windows XP SP2, Windows Server 2003 SP1, Windows Server 2003 SP2, and Windows Vista could allow criminals to launch "man-in-the-middle" attacks against a certain set of customers.

Microsoft says it's not aware of any such attacks, but that it's "aggressively investigating" any reports of attacks.

Only customers whose domains are registered as a subdomain to a second-level domain (SLD), such as "contoso.co.us," are vulnerable to the flaw, Microsoft says. A customer running a Web site registered as top-level domain (TLD), such as "contoso.com," is not subject to attack. Because of this, many PC and servers in the United States are safe from the flaw. But millions of other Windows computers around the world are susceptible to the flaw, researchers say.

The problem has to do with WPAD, the Windows feature that automatically detects proxy server settings, and how it's used in conjunction with the DNS "devolution" feature in Windows that attempts to find working Web sites.

For example, if the Web site "wpad.corp.contoso.co.us" is not found, WPAD will direct the computer to automatically try "wpad.contoso.co.us," Microsoft says. If that's not found, it will try "wpad.co.us." However, that last URL is outside of the contoso.co.us domain--a sliver of an opening that could be used by attackers to set up malicious Web sites to infect users.

There are several exceptions to this scenario, however. IT managers concerned about the flaw should read the "mitigating factors" segment of Microsoft Security Advisory 945713 to find out if their susceptible to attack.

According to the Sydney Morning Herald, the WPAD flaw was demonstrated by security researcher Beau Butler at the Kiwicon hacker conference, which was held two weeks ago in New Zealand. Butler reportedly worked with Microsoft security engineers over the Thanksgiving holiday to confirm the flaw.

The current WPAD flaw appears similar to the "WPAD Spoofing" vulnerability that Microsoft patched in 1999 with the release of Internet Explorer version 5.01. However, that patch reportedly only protected domain names that end in ".com," and did nothing to protect all other domain names.