Google's Project Zero detailed a proof-of-concept attack against Windows 10 that is a variation of a Web Proxy...
Auto-Discovery protocol attack. How does this WPAD attack work, and what can be done to bolster WPAD security?
The Web Proxy Auto-Discovery Protocol (WPAD) was developed in 1999 to simplify the configuration of an organization's web browsers and applications. It enables computers to discover which web proxy they should use for different URLs without administrators having to manually configure them.
WPAD is enabled by default on all Microsoft Windows operating systems and Internet Explorer browsers. While it is supported on macOS and Linux-based operating systems, as well as the Safari, Chrome and Firefox browsers, it is not enabled by default.
As the PAC file controls where a browser or client is directed, its security is of the upmost importance. If an attacker installs or points browsers to a malicious PAC file -- for example, via a rogue access point or WPAD injection -- they could instruct every browser on that network to use a proxy server under their control, enabling them to redirect, sniff or inject traffic as it passes through the proxy.
Concerns about the security of WPAD have existed for a while, and attacks like the unholy PAC attack described by SafeBreach and the man-in-the-middle attack identified by Context Information Security show that vulnerabilities in how WPAD and PAC work can be used to capture the entire URL of every site a user visits, even when the traffic is protected with HTTPS encryption.
However, Google's Project Zero researchers have produced a proof-of-concept WPAD attack that results in the complete compromise of the targeted machine.
Although all the vulnerabilities used in the WPAD attack have been patched, the research team still recommends that Microsoft users disable WPAD by default. Hopefully, Microsoft will sandbox the JScript interpreter inside the WPAD service, but, until then, the registry setting to disable WPAD can be changed in Group Policy via the Services setting under ComputerConfiguration > Policies > Windows Settings > Security Settings > System Services and by disabling the WinHTTP WebProxy Auto-Discover Service.
Administrators also need to ensure their users' devices are up to date.
Ask the expert:
Want to ask Michael Cobb a question about application security? Submit your questions now via email. (All questions are anonymous.)
Dig Deeper on Microsoft Windows security
Related Q&A from Michael Cobb
Apple's Quick Look feature previews thumbnails that are not encrypted. Learn how this poses a security threat to enterprises from expert Michael Cobb. Continue Reading
Hackers can imitate the design and domain name of popular sites like Netflix to steal credentials. Expert Michael Cobb explains how these Netflix ... Continue Reading
Hackers use legitimate admin tools to exfiltrate data in living off the land attacks that are hard to detect. Learn about this cyberattack tactic ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.