Microsoft Releases Attack Advisory For WPAD Protocol

Microsoft released a security advisory on Wednesday, warning users about a new attack on the Web Proxy Automatic Discovery protocol (WPAD).

The government Internet threat alert center -- U.S.-CERT -- is advising users that an attacker with the ability to register a WPAD entry in a Domain Name System (DNS) or Windows Internet Naming Service (WINS) server may be able to cause a WPAD-configured client to resolve to an arbitrary host and retrieve the malicious WPAD.dat file. This may allow an attacker access to the client's traffic by routing it through a malicious proxy server.

The U.S. advisory group recommended that network administrators reserve static WPAD DNS host names and WPAD WINS name records.

A Microsoft advisory explained that client software configured to use WPAD must be able to contact a host that serves a proxy automatic configuration file (Wpad.dat). A WPAD-configured client can use several methods to locate a host that contains a Wpad.dat file. Two of these methods, Microsoft noted, require a WPAD entry to be registered in DNS or in WINS.

The attack could affect 20 different Microsoft products, including 16 versions of Windows Server 2003, several versions of Windows 2000, and Microsoft Small Business Server 2000 Standard Edition.