Microsoft won’t confirm proxy configuration flaw

Microsoft Tuesday was still examining the details of a vulnerability discovered by a hacker that appears to exploit an eight-year-old flaw in Windows.

So far, the company has not announced plans for a patch. In addition, the company would not confirm that the issue is based on a vulnerability first discovered in 1999 in the Web Proxy Autodiscovery Protocol (WPAD) in Windows. Nor would the company commit to the fact that any fix is under development.

Mark Miller, director of security response for Microsoft, said in a statement, "I can tell you that Microsoft is investigating and treating this issue the way it does any other vulnerability report. As part of our standard MSRC [Microsoft Security Response Center] investigation process, we have been working with the researcher and journalist to respond to reports and have engaged resources in our security response and product groups."

Miller went on to say, "Once the investigation is complete, if needed, we will take appropriate action to help protect customers. If this is a security issue, this may include providing a security update through the monthly release process, an out-of-cycle update or additional guidance to help customers protect themselves."

Microsoft did not say how long the investigation would go on.

Earlier this week, Microsoft told Australia's The Age.com.au Web site that the flaw was a serious issue.

One source who asked not to be named said, "if Microsoft is serious in fixing the problem then a fix should be available in a matter of days. If Microsoft is not serious then there will be countless delays in providing a fix and those fixes that do surface will be just as inadequate as the one from 1999."

Microsoft reportedly patched the WPAD flaw eight years ago to protect computers that use the ".com" domain as part of their corporate identity.

Some experts, however, dispute that the patch ever worked for .com domains.

The fix, however, does not work for computers that use domain country codes such as .nz  (New Zealand) or .uk (England).

WPAD is a method used by Web browsers to locate a proxy configuration file called wpad.dat that is then used to configure a Web browser's proxy settings.

Part of the flaw is linked to the fact that the search for the configuration file can leave the safety of the corporate network thus opening an avenue for a hacker to hijack the request and deliver a configuration file to the browser that is then used to intercept and modify the user's Web traffic.

The Windows WPAD feature was designed so administrators would not have to manually configure browser proxy settings on each desktop. All the automated WPAD configuration work takes place out of view of the user.

Last week, Beau Butler, who also goes by the name Oddy and the title "ethical hacker," presented his rediscovery of the WPAD flaw at the annual Kiwicon security conference at Victoria University of Wellington in New Zealand. Butler told conference attendees and Australia's The Age.com.au Web site that he found 160,000 computers in New Zealand using the .nz domain that were vulnerable to the WPAD flaw.

Network World is an InfoWorld affiliate.