NEW YORK -- Summary: At Kiwicon 2007, New Zealand researcher Beau Butler presented a flaw in how Microsoft Corp.s Internet Explorer (IE) uses the Web Proxy Autodiscovery Protocol (WPAD) functionality for some international domains. Using this flaw, a malicious user could set up a WPAD server and send proxy configuration commands to the vulnerable computer. Microsoft originally fixed this vulnerability in Security Bulletin MS99-054, by changing the way that Internet Explorer searches for WPAD servers. The new flaw discovered by Mr. Butler specifically impacts wpad.co.nz and wpad.org.nz, which are still part of the default WPAD search order. It is possible that other top-level domains (TLDs) suffer from the same vulnerability in the default search order.
A malicious user or group could use this vulnerability to redirect all HTTP and HTTPS traffic from their victims to a malicious server. Attackers can use this technique to steal online banking usernames and passwords as well as monitoring, logging and manipulating other sessions.
There are no known ongoing attacks, but several domains in the existing search order are active. It would only require a configuration change to add a malicious WPAD configuration.
Consumers are at highest risk from this flaw, as most enterprises use technologies that limit the potential damage.
Mr. Butler published details of the flaw and registered the domain names wpad.co.nz, wpad.net.nz and wpad.org.nz in late June 2007.
VeriSign iDefense Quotes:
Most enterprises are probably protected from this attack vector, but it is likely that the grandmas out there using their local ISP are not. Rick Howard, Director, VeriSign iDefense Intelligence Operations
VeriSign Inc. (Nasdaq: VRSN)