Microsoft Releases Attack Advisory For WPAD Protocol
An attacker could gain access to the client's traffic by routing it through a malicious proxy server.
Microsoft released a security advisory on Wednesday, warning users about a new attack on the Web Proxy Automatic Discovery protocol (WPAD).
The government Internet threat alert center -- U.S.-CERT -- is advising users that an attacker with the ability to register a WPAD entry in a Domain Name System (DNS) or Windows Internet Naming Service (WINS) server may be able to cause a WPAD-configured client to resolve to an arbitrary host and retrieve the malicious WPAD.dat file. This may allow an attacker access to the client's traffic by routing it through a malicious proxy server.
The U.S. advisory group recommended that network administrators reserve static WPAD DNS host names and WPAD WINS name records.
A Microsoft advisory explained that client software configured to use WPAD must be able to contact a host that serves a proxy automatic configuration file (Wpad.dat). A WPAD-configured client can use several methods to locate a host that contains a Wpad.dat file. Two of these methods, Microsoft noted, require a WPAD entry to be registered in DNS or in WINS.
The attack could affect 20 different Microsoft products, including 16 versions of Windows Server 2003, several versions of Windows 2000, and Microsoft Small Business Server 2000 Standard Edition.
The Business of Going DigitalDigital business isn't about changing code; it's about changing what legacy sales, distribution, customer service, and product groups do in the new digital age. It's about bringing big data analytics, mobile, social, marketing automation, cloud computing, and the app economy together to launch new products and services. We're seeing new titles in this digital revolution, new responsibilities, new business models, and major shifts in technology spending.
Join InformationWeek’s Lorna Garey and Mike Healey, president of Yeoman Technology Group, an engineering and research firm focused on maximizing technology investments, to discuss the right way to go digital.