Google's Project Zero detailed a proof-of-concept attack against Windows 10 that is a variation of a Web Proxy...
Auto-Discovery protocol attack. How does this WPAD attack work, and what can be done to bolster WPAD security?
The Web Proxy Auto-Discovery Protocol (WPAD) was developed in 1999 to simplify the configuration of an organization's web browsers and applications. It enables computers to discover which web proxy they should use for different URLs without administrators having to manually configure them.
WPAD is enabled by default on all Microsoft Windows operating systems and Internet Explorer browsers. While it is supported on macOS and Linux-based operating systems, as well as the Safari, Chrome and Firefox browsers, it is not enabled by default.
As the PAC file controls where a browser or client is directed, its security is of the upmost importance. If an attacker installs or points browsers to a malicious PAC file -- for example, via a rogue access point or WPAD injection -- they could instruct every browser on that network to use a proxy server under their control, enabling them to redirect, sniff or inject traffic as it passes through the proxy.
Concerns about the security of WPAD have existed for a while, and attacks like the unholy PAC attack described by SafeBreach and the man-in-the-middle attack identified by Context Information Security show that vulnerabilities in how WPAD and PAC work can be used to capture the entire URL of every site a user visits, even when the traffic is protected with HTTPS encryption.
However, Google's Project Zero researchers have produced a proof-of-concept WPAD attack that results in the complete compromise of the targeted machine.
Although all the vulnerabilities used in the WPAD attack have been patched, the research team still recommends that Microsoft users disable WPAD by default to prevent attacks that would take exploit the identified vulnerabilities. Hopefully, Microsoft will sandbox the JScript interpreter inside the WPAD service as another prevention technique, but, until then, the registry setting to disable WPAD can be changed in Group Policy via the Services setting under ComputerConfiguration > Policies > Windows Settings > Security Settings > System Services and by disabling the WinHTTP WebProxy Auto-Discover Service.
Administrators also need to ensure their users' devices are up to date.
Ask the expert:
Want to ask Michael Cobb a question about application security? Submit your questions now via email. (All questions are anonymous.)
Dig Deeper on Microsoft Windows security
Related Q&A from Michael Cobb
WhatsApp vulnerabilities can enable hackers to bypass end-to-end encryption and spoof messages. Expert Michael Cobb explains how these attacks work ... Continue Reading
Disabling Google location tracking involves more than turning off Location History. Learn how to manage your account settings to stop tracking ... Continue Reading
Compared to TLS 1.2, TLS 1.3 saw improvements in security, performance and privacy. Learn how TLS 1.3 eliminated vulnerabilities using cryptographic ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.