two
Volume 4, Number 44 -- December 5, 2007

Microsoft Acknowledges Security Flaw in Windows

Published: December 5, 2007

by Alex Woodie

Microsoft issued a security advisory Monday acknowledging the existence of a security flaw in all recent versions of Windows that could allow direct Web browser's to malicious Web sites. The flaw, which is similar to another flaw Microsoft patched way back in 1999, was tracked down by the software giant following its public disclosure by a New Zealand researcher at a recent security conference.

According to Microsoft, a problem in the Web Proxy Auto-Discovery (WPAD) feature in Windows XP SP2, Windows Server 2003 SP1, Windows Server 2003 SP2, and Windows Vista could allow criminals to launch "man-in-the-middle" attacks against a certain set of customers.

Microsoft says it's not aware of any such attacks, but that it's "aggressively investigating" any reports of attacks.

Only customers whose domains are registered as a subdomain to a second-level domain (SLD), such as "contoso.co.us," are vulnerable to the flaw, Microsoft says. A customer running a Web site registered as top-level domain (TLD), such as "contoso.com," is not subject to attack. Because of this, many PC and servers in the United States are safe from the flaw. But millions of other Windows computers around the world are susceptible to the flaw, researchers say.

The problem has to do with WPAD, the Windows feature that automatically detects proxy server settings, and how it's used in conjunction with the DNS "devolution" feature in Windows that attempts to find working Web sites.

For example, if the Web site "wpad.corp.contoso.co.us" is not found, WPAD will direct the computer to automatically try "wpad.contoso.co.us," Microsoft says. If that's not found, it will try "wpad.co.us." However, that last URL is outside of the contoso.co.us domain--a sliver of an opening that could be used by attackers to set up malicious Web sites to infect users.

There are several exceptions to this scenario, however. IT managers concerned about the flaw should read the "mitigating factors" segment of Microsoft Security Advisory 945713 to find out if their susceptible to attack.

According to the Sydney Morning Herald, the WPAD flaw was demonstrated by security researcher Beau Butler at the Kiwicon hacker conference, which was held two weeks ago in New Zealand. Butler reportedly worked with Microsoft security engineers over the Thanksgiving holiday to confirm the flaw.

The current WPAD flaw appears similar to the "WPAD Spoofing" vulnerability that Microsoft patched in 1999 with the release of Internet Explorer version 5.01. However, that patch reportedly only protected domain names that end in ".com," and did nothing to protect all other domain names.



                     Post this story to del.icio.us
               Post this story to Digg
    Post this story to Slashdot

Sponsored By
COMPUTER MEASUREMENT GROUP

CMG '07 International Conference
Enterprise Computer Performance Management
December 2-7, San Diego

Learn how to master today's most demanding enterprise computer performance management challenges at CMG '07-December 2-7 in San Diego. CMG '07 is the world's largest gathering of IT professionals focused on performance optimization…capacity planning…and resource management for enterprise computing systems. This 33rd annual conference is sponsored by the Computer Measurement Group (CMG), a not-for-profit worldwide association for systems management professionals.

Register today at www.cmg.org
Or call 800-436-7264
Editor: Alex Woodie
Contributing Editors: Dan Burger, Joe Hertvik,
Shannon O'Donnell, Timothy Prickett Morgan
Publisher and Advertising Director: Jenny Thomas
Advertising Sales Representative: Kim Reed
Contact the Editors: To contact anyone on the IT Jungle Team
Go to our contacts page and send us a message.

Sponsored Links

COMMON:  Join us at the annual 2008 conference, March 30 - April 3, in Nashville, Tennessee
Vision Solutions:  MIMIX takes the work and worry out of Windows data protection
NowWhatJobs.net:  NowWhatJobs.net is the resource for job transitions after age 40
 
 

IT Jungle Store Top Book Picks

The System i Pocket RPG & RPG IV Guide: List Price, $69.95
The iSeries Pocket Database Guide: List Price, $59.00
The iSeries Pocket Developers' Guide: List Price, $59.00
The iSeries Pocket SQL Guide: List Price, $59.00
The iSeries Pocket Query Guide: List Price, $49.00
The iSeries Pocket WebFacing Primer: List Price, $39.00
Migrating to WebSphere Express for iSeries: List Price, $49.00
iSeries Express Web Implementer's Guide: List Price, $59.00
Getting Started with WebSphere Development Studio for iSeries: List Price, $79.95
Getting Started With WebSphere Development Studio Client for iSeries: List Price, $89.00
Getting Started with WebSphere Express for iSeries: List Price, $49.00
WebFacing Application Design and Development Guide: List Price, $55.00
Can the AS/400 Survive IBM?: List Price, $49.00
The All-Everything Machine: List Price, $29.95
Chip Wars: List Price, $29.95
 
The Four Hundred
State of the System i: How 2007 Went for Tool Vendors, and How 2008 Is Looking

Emerging Markets and Virtualization Drive Q3 Server Sales

IBM Readies Power Management for Power Servers

Bleak Outlook for Information Security, According to Researchers

The Linux Beacon
Emerging Markets and Virtualization Drive Q3 Server Sales

Novell Swaps the Kernel Guts in Real-Time Linux

IBM Readies Power Management for Power Servers

As I See It: The Sick Guys in Your Wallet

Four Hundred Stuff
Profound Logic Gives Web Access to DB2/400 with iData

Sametime, But a Different Place; IBM Tries to Top Microsoft

Touchtone Boosts Communication in i5/OS CRM

NGS Delivers Prebuilt BI for Healthcare

Big Iron
Emerging Markets and Virtualization Drive Q3 Server Sales

Top Mainframe Stories From Around the Web

Chats, Webinars, Seminars, Shows, and Other Happenings

Four Hundred Guru
System i Developers and .NET 2.0, Part 2: Web Development Using ASP.NET AJAX

ON vs. ON

Admin Alert: Basic Tools for the System i Admin Tool Chest

System i PTF Guide
December 1, 2007: Volume 9, Number 47

November 24, 2007: Volume 9, Number 46

November 17, 2007: Volume 9, Number 45

November 10, 2007: Volume 9, Number 45

November 3, 2007: Volume 9, Number 44

October 27, 2007: Volume 9, Number 43

The Unix Guardian
Emerging Markets and Virtualization Drive Q3 Server Sales

Dell Finally and Officially Supports Solaris

Transitive Ships Sparc/Solaris Emulator, Partners with Hitachi

As I See It: The Sick Guys in Your Wallet

Four Hundred Monitor
Four Hundred Monitor's
Full iSeries Events Calendar

THIS ISSUE SPONSORED BY:

IT Security
MKS
Vibrant Technologies
World Data Products
Computer Measurement Group


Printer Friendly Version


TABLE OF CONTENTS
Windows Anti-Piracy Program Gets Stronger, Weaker with Vista SP1

Exchange Server 2007 SP1 Goes RTM

SAP-Microsoft Mega-Merger Rumor Surfaces, Then Dies

Be My Guest

But Wait, There's More:
Microsoft Acknowledges Security Flaw in Windows . . . Sametime, But a Different Place; IBM Tries to Top Microsoft . . . Dell's Sales and Earnings Rise in Q3, But Outlook Concerns . . . Computer Economics Study Predicts 'Anemic Growth' for IT in 2008 . . . OpenVZ Project Embeds Virtual Private Servers in Xen Partitions . . . IBM Virtualizes I/O in BladeCenter Servers . . .

The Windows Observer

BACK ISSUES





 
Subscription Information:
You can unsubscribe, change your email address, or sign up for any of IT Jungle's free e-newsletters through our Web site at http://www.itjungle.com/sub/subscribe.html.

Copyright © 1996-2008 Guild Companies, Inc. All Rights Reserved.
Guild Companies, Inc., 50 Park Terrace East, Suite 8F, New York, NY 10034

Privacy Statement