Pay attention at Microsoft Security Advisory (945713)
Written by IT News on 11:11 PM
Microsoft is warning customers about a zero-day flaw in the process of how Windows looks up other computers on the Internet. This announcement can be read at Microsoft Technet with entitled "Microsoft Security Advisory (945713)" Vulnerability in Web Proxy Auto-Discovery (WPAD) Could Allow Information Disclosure, Published: December 3, 2007
The vulnerability is a variation of one patched in 1999, and attackers could exploit it to access sensitive data and redirect users to Web sites rigged with malware. It is not considered as big a threat as more recent zero-day flaws, however.
Tim Rains of the Microsoft Security Response Center communications team said in an email late Monday that the software giant is investigating new public reports of a vulnerability in how Windows resolves hostnames that do not include a fully-qualified domain name (FQDN). He said the specific technology affected is Windows' Web Proxy Auto-Discovery (WPAD) program.
The problem affects Microsoft Windows 2000 Advanced Server, Windows 2000 Datacenter Server; Windows 2000 Professional; Windows 2000 Server; Windows Server 2003 Datacenter Edition; Windows Server 2003 Enterprise Edition; Windows Server 2003 Standard Edition; Windows Server 2003 Web Edition; Windows Vista; Windows XP Home Edition; Windows XP Professional; Internet Explorer 6 and Internet Explorer 7.
This is mainly a problem for corporate users outside the U.S, though Microsoft warned that attackers could exploit it to silently redirect users to malware-laden Web sites. Though the flaw was patched years ago, researcher Beau Butler recently discovered it in more recent versions of Windows.
Suggested action and workarounds:
Create a WPAD.DAT Proxy Auto Configuration File on a Host Named WPAD in Your Organization to Direct Web Browsers to Your Organization’s Proxy
1.Create a WPAD.DAT file that adheres to the Proxy auto-config specification. For more information on Proxy Auto-Configuration (PAC) files including a sample file, see the following MSDN article.
2.Place the WPAD.DAT file in the root directory of a web server in your organization and ensure the file can be requested anonymously.
3.Create a MIME type for the WPAD.DAT file on the web server of "application/x-ns-proxy-autoconfig".
4.Create the appropriate entries in your organizations DHCP or DNS server to allow discovery of the WPAD server.
Disable Automatically Detect Settings in Internet Explorer
To disable the Automatically Detect setting in Internet Explorer, follow these steps:
1.Start Internet Explorer.
2.On the Tools menu, select Internet Options.
3.On the Connections tab, click LAN Settings.
4.Clear Automatically Detect Settings on the Local Area Network (LAN) Settings page.
Impact of Workaround: Internet Explorer will no longer automatically detect proxy settings.
Disable DNS Devolution
To disable automatic DNS devolution, save the following to a file with a .REG extension and then run regedit.exe /s
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient]
"UseDomainNameDevolution"=dword:00000000
For the changes to take effect, the DNS Client service must be stopped and re-started. This can be accomplished from an elevated or administrative command prompt using the following command:
net stop dnscache & net start dnscache:
Configure a Domain Suffix Search List
To create a domain suffix search list, save the following to a file with a .REG extension and then run regedit.exe /s
Windows Registry Editor Version 5.00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
"Search"=
Impact of Workaround: When a domain suffix search list is configured on client systems, only that suffix list is used in DNS queries. The primary DNS suffix and any connection-specific DNS suffixes are not used. The DNS resolver will not perform devolution, potentially breaking any applications or configurations that rely on this behavior.
0 comments: Responses to “ Pay attention at Microsoft Security Advisory (945713) ”