Microsoft Investigating Vulnerability

Microsoft Corp. announced that it is investigating new public reports of a vulnerability in the way Windows resolves hostnames that do not include a fully-qualified domain name (FQDN). The technology that the vulnerability affects is Web Proxy Auto-Discovery (WPAD).

The company has not received any information to indicate that this vulnerability has been publicly used to attack customers, and it is not aware of any customer impact at this time. Microsoft said it is aggressively investigating the public reports.

Customers whose domain name begins in a third-level or deeper domain, such as "contoso.co.us", or for whom the following mitigating factors do not apply, are at risk from this vulnerability.

Upon completion of this investigation, Microsoft said it will take the appropriate action to help protect our customers. This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs.

Mitigating Factors:

• Customers who do not have a primary DNS suffix configured on their system are not affected by this vulnerability. In most cases, home users that are not members of a domain have no primary DNS suffix configured. Connection-specific DNS suffixes may be provided by some Internet Service Providers (ISPs), and these configurations are not affected by this vulnerability.
• Customers whose DNS domain name is registered as a second-level domain (SLD) below a top-level domain (TLD) are not affected by this vulnerability. Customers whose DNS suffixes reflect this registration would not be affected by this vulnerability. An example of a customer who is not affected is contoso.com or fabrikam.gov, where "contoso" and "fabrikam" are customer registered SLDs under their respective ".com" and ".gov" TLDs.
• Customers who have specified a proxy server via DHCP server settings or DNS are not affected by this vulnerability.
• Customers who have a trusted WPAD server in their organization are not affected by this vulnerability.
• Customers who have manually specified a proxy server in Internet Explorer are not at risk from this vulnerability when using Internet Explorer.
• Customers who have disabled 'Automatically Detect Settings' in Internet Explorer are not at risk from this vulnerability when using Internet Explorer.

Microsoft has tested the following workarounds. Although these workarounds will not correct the underlying vulnerability, they help block known attack vectors.

• Create a WPAD.DAT Proxy Auto Configuration File on a Host Named WPAD in Your Organization to Direct Web Browsers to Your Organization's Proxy
• Disable Automatically Detect Settings in Internet Explorer
• Disable DNS Devolution
• Configure a Domain Suffix Search List

Microsoft has thanked Beau Butler for working with the company and reporting the vulnerability in Web Proxy Auto-Discovery (WPAD).