Microsoft is warning customers about a zero-day flaw in the process of how Windows looks up other computers on the Internet.
The vulnerability is a variation of one patched in 1999, and attackers could exploit it to access sensitive data and redirect users to Web sites rigged with malware. It is not considered as big a threat as more recent zero-day flaws, however.
Tim Rains of the Microsoft Security Response Center communications team said in an email late Monday that the software giant is investigating new public reports of a vulnerability in how Windows resolves hostnames that do not include a fully-qualified domain name (FQDN). He said the specific technology affected is Windows' Web Proxy Auto-Discovery (WPAD) program.
Danish vulnerability clearinghouse Secunia gave the flaw a "less critical" rating in its SA 27901 advisory, which it typically reserves for cross-site scripting and privilege escalation flaws, as well as those that allow exposure of sensitive data to local users.
The problem affects Microsoft Windows 2000 Advanced Server, Windows 2000 Datacenter Server; Windows 2000 Professional; Windows 2000 Server; Windows Server 2003 Datacenter Edition; Windows Server 2003 Enterprise Edition; Windows Server 2003 Standard Edition; Windows Server 2003 Web Edition; Windows Vista; Windows XP Home Edition; Windows XP Professional; Internet Explorer 6 and Internet Explorer 7.
This is mainly a problem for corporate users outside the U.S, though Microsoft warned that attackers could exploit it to silently redirect users to malware-laden Web sites. Though the flaw was patched years ago, researcher Beau Butler recently discovered it in more recent versions of Windows.
"Microsoft has not received any information to indicate customer impact at this time," Rains said. "Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This may include providing a security update through our monthly release process."
Microsoft Security Advisory 945713 suggests users mitigate the threat by creating a WPAD.DAT proxy auto configuration file on a host-named WPAD to direct Web browsers to the organization's proxy; disabling the automatic detection settings in Internet Explorer; disabling DNS devolution; and configuring a domain suffix search list.