Google's Project Zero detailed a proof-of-concept attack against Windows 10 that is a variation of a Web Proxy...
Auto-Discovery protocol attack. How does this WPAD attack work, and what can be done to bolster WPAD security?
The Web Proxy Auto-Discovery Protocol (WPAD) was developed in 1999 to simplify the configuration of an organization's web browsers and applications. It enables computers to discover which web proxy they should use for different URLs without administrators having to manually configure them.
WPAD is enabled by default on all Microsoft Windows operating systems and Internet Explorer browsers. While it is supported on macOS and Linux-based operating systems, as well as the Safari, Chrome and Firefox browsers, it is not enabled by default.
As the PAC file controls where a browser or client is directed, its security is of the upmost importance. If an attacker installs or points browsers to a malicious PAC file -- for example, via a rogue access point or WPAD injection -- they could instruct every browser on that network to use a proxy server under their control, enabling them to redirect, sniff or inject traffic as it passes through the proxy.
Concerns about the security of WPAD have existed for a while, and attacks like the unholy PAC attack described by SafeBreach and the man-in-the-middle attack identified by Context Information Security show that vulnerabilities in how WPAD and PAC work can be used to capture the entire URL of every site a user visits, even when the traffic is protected with HTTPS encryption.
However, Google's Project Zero researchers have produced a proof-of-concept WPAD attack that results in the complete compromise of the targeted machine.
Although all the vulnerabilities used in the WPAD attack have been patched, the research team still recommends that Microsoft users disable WPAD by default to prevent attacks that would take exploit the identified vulnerabilities. Hopefully, Microsoft will sandbox the JScript interpreter inside the WPAD service as another prevention technique, but, until then, the registry setting to disable WPAD can be changed in Group Policy via the Services setting under ComputerConfiguration > Policies > Windows Settings > Security Settings > System Services and by disabling the WinHTTP WebProxy Auto-Discover Service.
Administrators also need to ensure their users' devices are up to date.
Ask the expert:
Want to ask Michael Cobb a question about application security? Submit your questions now via email. (All questions are anonymous.)
Dig Deeper on Microsoft Windows security
Related Q&A from Michael Cobb
Sending sensitive information in attachments is inherently unsafe, and the main way to secure them -- encryption -- can be implemented inconsistently... Continue Reading
Spyware can steal mundane information, track a user's every move and everything in between. Read up on the types of spyware and how to best fix ... Continue Reading
Explore the differences between symmetric vs. asymmetric encryption algorithms, including common uses and examples of both, as well as their pros and... Continue Reading