At the ShmooCon hacker conference, researchers with security firm IOActive claimed a design bug in the system used by Windows PCs to obtain proxy settings could let attackers hijack traffic. Internet Explorer on Windows PCs by default searches for a proxy server using the Web Proxy Autodiscovery Protocol and an attacker can easily register a proxy server on a network using the Windows Internet Naming Service, and other network services including the Domain Name System. “I can put up the equivalent of a detour sign on your network and redirect all the traffic,” said Chris Paget, director of research and development at IOActive. If an attack is successful, all traffic on a network will flow through the attacker’s proxy meaning the attacker can access all the data, redirect and manipulate it to his heart’s content. Fortunately, an attack is possible only with access to the target network, not from the Internet: “The biggest risk inside a corporation would come from a malicious insider. This is not worthy of mass panic or critical advisories.”
Microsoft acknowledged the problem in a support article on its TechNet Web site: “If an entity can surreptitiously register a WPAD entry in DNS or in WINS…clients may be able to route their Internet traffic through a malicious proxy server.” In its support article, Microsoft lists steps for network administrators to address the WPAD problem. The steps reserve static WPAD DNS host names and to reserve WPAD WINS name records. As a result, an attacker’s malicious WPAD name will no longer work, which will foil the malicious proxy trick, Paget said.
Microsoft, Windows, Network, Security, Vulnerability, Hijack