Hacker conferences are more often than not a source of work for security people. When Microsoft issued MS99-054 (fixing CVE-1999-0858) one would have assumed they had looked into the auto-configuration of MSIE's proxy settings deep enough to not have to fix it again. Unfortunately no such luck was with us.
wpad names in DNS or WINS that are inserted by malicious locals are enough to divert browsers to an unauthorized proxy. Apparently the issue is bad enough for Microsoft to release KB 934864 about it.
To summarize to use WPAD yourself in your DHCP:
option option-252 "http://example.com/path/to/proxyconfig.pac";
option wpad code 252 = text
See more in the recently expired IETF draft.
If you can't do that, create a DNS TXT record with the name WPAD in every domainname you run to avoid MSIE finding a host with that name and do the same in WINS. (see the above mentioned KB for how to do it in Microsoft's implementations)
We've added this vulnerability in our overview table.
Mar 26th 2007
1 decade ago