Engineers in Australia and the United Sates are scrambling to replicate and confirm a new flaw in Windows that affects every version of Windows, including Vista. The bug was demonstrated at the Kiwicon hacker conference in New Zealand last week by ethical hacker Beau Butler.
Butler said that while testing the flaw, he found more than 160,000 vulnerable computers in New Zealand. He said he tried to alert Microsoft to the problem by e-mail before going public, though he failed to get any response and assumed it was aware of the issue.
Microsoft has confirmed that the issue is serious and asked that the details not be published over fears they could be used by cybercriminals to exploit vulnerable machines.
[The bug] resides in a feature known as Web Proxy Autodiscovery (WPAD), which helps IT administrators automate the configuration of proxy settings in Internet Explorer and other Web browsers. The vulnerability can be “widely exploited” to “intercept Web sessions, direct browsers to malicious proxies, and effectively gain control over unsuspecting users’ Web traffic.
Vulnerable browsers will traverse a company’s host domain to search for a WPAD data file used to set up the proxy feature. IE running on host a.b.c.d.net, for example, first would look in b.c.d.net, then c.d.net and finally d.net.
Microsoft’s general manager of product security, George Stathakopoulos, wrote, “Now that we understand the issue, we’re researching comprehensive mitigations and workarounds to protect customers.”
A patch appears to have been released in 1999, though it protected only domain names ending in .com. WPAD servers using all other addresses remained vulnerable.