Windows Vulnerability Could Compromise Millions Of PCs

The bug, which was first reported by the Sydney Morning Herald, was demonstrated last week at the Kiwicon hacker conference in New Zealand by researcher Beau Butler.

The vulnerability could ultimately compromise millions of home or office machines, particularly those located outside the U.S., subjecting them to attack by cyber criminals who could then acquire passwords, monitor Internet use, or steal personal, financial or identifying information.

"The real risk here is, someone else may automatically configure your proxy for you and redirect traffic through their malicious server," said Oliver Friedrichs, Symantec security response director. "A lot of that traffic is encrypted, but the attacker could intercept it and cause it to be unencrypted."

The flaw is located in a feature known as Web Proxy Autodiscovery (WPAD), which helps IT administrators automate the configuration of proxy settings in Internet Explorer and other browsers. Standard U.S. domains, such as .com, .net, or .edu, are not susceptible to attack. However, vulnerable browsers will travel across a company's host domain searching for the WPAD data file used to set up the proxy feature. In certain configurations, the third-level domain is not a trusted part the network. If exploited by an attacker, the vulnerability could be used to intercept Web sessions and redirect traffic to another malicious proxy, where attackers could gain control of any personal information when the user browses the Internet.

"The takeaway is, if somebody fell victim to this, their browser would be routing traffic to a man-in-the-middle attack," said Craig Schmugar, threat researcher for McAfee. "You could be sitting in Italy and your Web browser traffic is going to China before its intended destination. The person in the middle could influence the information if it was not encrypted."

The problem is particularly serious for off-shore domains. However, some U.S.-based sites with third-level domains could also be affected by the vulnerability, making them susceptible to attack.

"For people outside the U.S. this is a definitely a big issue," said Ed Skoudis, SANS Institute instructor and co-founder of Intelguardians. "But these top level domains are not a hard and fast predictor of where they are geographically located. The fact is, even some sites in the U.S. are not using top level domains typically associated with the U.S."

Microsoft engineers worked through the Thanksgiving holiday to address the design flaw in Windows -- a continuation of an existing vulnerability that Microsoft had allegedly fixed in 1999. The old fix was only partially effective, and the current Windows vulnerability represents a variation of the eight-year-old flaw.

"The fix was more specific than it should have been," said Schmugar. "It didn't consider other top level domains."

While security engineers have yet to come up with a fix, there are ways to work around the vulnerability until a patch can be put in place. One option includes temporarily disabling Autodiscovery, Friedrichs said.

Mark Miller, director of security response for Microsoft, confirmed that the company is further investigating the vulnerability, adding that additional security measures "may include providing a security update through the monthly release process, an out-of-cycle update or additional guidance to help customers protect themselves."

There have been no known attacks so far that have exploited this vulnerability, security experts say.

"I would imagine that if an attack were to come to light, it would be discovered fairly quickly," said Schmugar.