IE 5.0 Subject to WPAD Spoofing
Reported December 01, 1999 by
Tim Adam
VERSIONS AFFECTED
Microsoft Internet Explorer 5.0

DESCRIPTION

According to the report, "The IE 5 Web Proxy Auto-Discovery (WPAD) feature enables web clients to automatically detect proxy settings without user intervention. The algorithm used by WPAD prepends the hostname "wpad" to the fully-qualified domain name and progressively removes subdomains until it either finds a WPAD server answering the hostname or reaches the third-level domain."

"For instance, web clients in the domain a.b.microsoft.com would query wpad.a.b.microsoft, wpad.b.microsoft.com, then wpad.microsoft.com. A vulnerability arises because in international usage, the third-level domain may not be trusted. A malicious user could set up a WPAD server and serve proxy configuration commands of his or her choice."

VENDOR RESPONSE

Microsoft issued a new version, IE 5.01 (also located here,) that remedies this problem.  Be sure to read the FAQ, and Support Online article Q247733 regarding this matter. In addition, you may wish to read the IETF Protocol Internet Draft for WPAD.

CREDITS
Discovered by
Tim Adam