Microsoft released a patch for a vulnerability that allows IT managers to set a Windows Proxy Auto-Discovery, or WPAD, entry in the DNS. If IE or Firefox are configured to “automatically detect settings,” the browser will connect to the proxy machine. The patch solves the problem for systems with no WPAD entry in the DNS, by blocking future queries for WPAD. But for systems with a WPAD entry, the patch does nothing.
IT managers who install the patch could be given a false sense of security that any compromised systems have been fixed. Microsoft representative told the company chose to leave existing WPAD entries untouched because it is not possible to differentiate legitimate WPAD entries from ones loaded by an attacker. But Microsoft could at least have included a pop-up message in that instance, warning users that the DNS has a WPAD entry, and maybe even ask if they want to keep it or block it, Reguly said.