Microsoft confirms man-in-the-middle WPAD vulnerability

Following the public release of a serious flaw in the way Windows resolves hostnames that do not include a fully-qualified domain name (FQDN), Microsoft has issued a security advisory to acknowledge the issue and offer pre-patch workarounds.

Redmond's advisory comes more than two weeks after hacker Beau Butler discussed the issue at the Kiwicon 2007 event in New Zealand.

From Microsoft's advisory:

A malicious user could host a WPAD server, potentially establishing it as a proxy server to conduct man-in-the-middle attacks against customers whose domains are registered as a subdomain to a second-level domain (SLD). For customers with a primary DNS suffix configured, the DNS resolver in Windows will attempt to resolve an unqualified “wpad” hostname using each sub-domain in the DNS suffix until a second-level domain is reached. For example, if the DNS suffix is corp.contoso.co.us and an attempt is made to resolve an unqualified hostname of wpad, the DNS resolver will try wpad.corp.contoso.co.us. If that is not found, it will try, via DNS devolution, to resolve wpad.contoso.co.us. If that is not found, it will try to resolve wpad.co.us, which is outside of the contoso.co.us domain.

The issue affects Windows 2000, Windows XP, Windows Server 2003 and Windows Vista users.  It also relates to all versions of Internet Explorer, including IE 7 for Windows Vista.

During his Kiwicon 2007 talk, Butler described WPAD as a "still-active-after-all-these-years design misfeature" that was fixed for the .com domain but left vulnerable for sub-domains and other hostnames.

Microsoft's advisory contains several recommended workarounds and mitigation guidance.

The next batch of patches from Microsoft  is scheduled for December 11, 2007.