WPAD vulnerability around since 1999!

[polonus]

Hi malware fighters,

Being around since 1999 and still not fully patched: http://www.frsirt.com/english/advisories/2007/1115
http://www.theregister.co.uk/2007/11/26/wpad_vuln_investigated/

polonus

[Lisandro]

Wow... what a difficult thing to manage

[polonus]

Hi Tech,

The quintessence is this:
"Web Proxy Auto Discovery is an interestingly
still-active-after-all-these-years design misfeature
courtesy of Microsoft. It is of particular relevance to
those of us who 'live' anywhere except the .com domain, as
Microsoft fixed it for .com a long time ago, but due to it's
DNS-(ab)using nature it is still a problem for everyone
else. This talk will explain the mechanism and it's
ramifications in some detail, and collect and present
statistics of interest. Oddy will also be explaining all the
ways in which networks can be configured in order to make
wpad leakage a non-problem." (said at this Redhat conference)

polonus

[bob3160]

Since all of these refer to Server additions, can I assume that
since I'm running XP Home SP3, this isn't anything to worry about?

[DavidR]

With the exception of Windows 2000 Professional Edition that is

[polonus]

For bob3160, DavidR, and others,

No folks, read the article in "El Reg" where it says: "A Microsoft spokesman had only minimal details about the investigation, which was prompted by a presentation last week by researcher Beau Butler at the Kiwicon security conference in New Zealand. According to this report in the Sydney Morning Herald, the flaw affects every version of Windows including Vista and is actually the continuation of an old vulnerability that Microsoft supposedly fixed years ago."

polonus