Vulnerability discovered that could allow 'man-in-the-middle' attacks on Windows DNS servers

A Microsoft vulnerability has been detected that affects the DNS server and Web Proxy Autodiscovery (WPAD) Protocol registration.

Luis Corrons at Panda Labs claimed that it is a service that allows automatic configuration of proxy settings of the computers within a network without user intervention.

It can also be used to launch ‘man-in-the-middle' attacks on Windows DNS servers, as the web browsers of the PCs in the network are configured through these WPAD entries, so a user that is getting the proxy configuration automatically could be redirected to a malicious proxy and the attacker will have access to all the traffic of the user.

Corrons claimed: “To perform this attack, the attacker could insert a WPAD entry in the DNS server when dynamic updates are enabled. Once created these values in the registry, if anyone tries to launch a ‘man-in-the-middle' attack it won't succeed, as the system will block petitions to the WPAD entry, unless this entry had not been created before applying the patch.

“Usually, if you are vulnerable to an attack and you patch the system you feel safe. For instance, all of you know about Conficker, which infects the system using the vulnerability MS08-067. Even if you have been previously infected, you can apply the patch and you won't be infected anymore through this vulnerability.

“However, in the case of MS09-008 patch it doesn't work in the same way; even if we have applied the patch, if we were already attacked through this vulnerability, it doesn't solve the problem and the ‘man-in-the-middle' attacks will continue. Why? Because in that case the data in the value GlobalQueryBlockList created when the patch is applied is ‘isatap' instead of ‘wpad isatap', so the queries to WPAD are not being blocked.”

Microsoft's Bill Sisk claimed that it had thoroughly reviewed these reports, and said ‘customers who've deployed this update are protected from the four vulnerabilities outlined in the bulletin'.

He also claimed that Microsoft was currently not aware of any attacks, and said: “We've also been collaborating with several researchers regarding the effectiveness of this update, as it is a complex issue, and have released more details about these vulnerabilities and how the security update addresses them.

“Again, I want to assure you that MS09-008 protects from potential attacks that could exploit the vulnerabilities outlined in the bulletin.”