1. Symantec/
  2. Security Response/
  3. Attack Signatures/
  4. Web Attack: WPAD Spoofing

Web Attack: WPAD Spoofing

Severity: High

This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.

Description

This signature detects HTTP requests for the wpad.dat file from malicious domains.

Additional Information

IE5's automatic proxy configuration feature, WPAD, (Web Proxy Auto-Discovery) can be fooled into using or attempting to use a non-authorized server as a proxy server. An attacker on a different network could use this to read web traffic from the IE5 client.

IE5 will search for a WPAD server by looking for machines named wpad.x.x.x in the current domain. If none is found, it will proceed up the domain name structure, until it gets to the third-level domain name.

For example, IE5 running on host a.b.c.d.net would first look for wpad.b.c.d.net, then wpad.c.d.net, then wpad.d.net.

In certain network configurations, the third-level domain is not necessarily a trusted part of the network, and an attacker could set up a server to cause IE5 clients to use a hostile machine as proxy.

Affected

  • Microsoft Internet Explorer 5.0 for Windows 2000, 5.0 for Windows 95, 5.0 for Windows 98, 5.0 for Windows NT 4.0, 5.0.1
  • Microsoft Windows 95
  • Microsoft Windows 98
  • Microsoft Windows NT 4.0

Response

Microsoft has released the following patches which rectifies this issue:

http://www.microsoft.com/windows/ie/download/critical/patch6.htm
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube