WPAD trouble - CVE-2007-1692
Last Updated: 2007-03-26 23:33:28 UTC
by Swa Frantzen (Version: 2)
Hacker conferences are more often than not a source of work for security
people. When Microsoft issued MS99-054 (fixing CVE-1999-0858) one would
have assumed they had looked into the auto-configuration of MSIE's proxy
settings deep enough to not have to fix it again. Unfortunately no such
luck was with us.
wpad names in DNS or WINS that are inserted by malicious locals are
enough to divert browsers to an unauthorized proxy. Apparently the issue
is bad enough for Microsoft to release KB 934864 about it.
To summarize to use WPAD yourself in your DHCP:
add this to your config:
option option-252 "http://example.com/path/to/proxyconfig.pac";
option wpad code 252 = text
option wpad "http://example.com/path/to/proxyconfig.pac";
See more in the recently expired IETF draft.
* Microsoft's DHCP:
If you can't do that, create a DNS TXT record with the name WPAD in
every domainname you run to avoid MSIE finding a host with that name and
do the same in WINS. (see the above mentioned KB for how to do it in
We've added this vulnerability in our overview table, Mitre assigned it
CVE-2007-1692 as name.