Tuesday, March 10, 2009

Microsoft just released a patch for some WPAD vulnerabilities

Microsoft has just release three security bulletins, among them is MS09-008. This bulletin describes two DNS spoofing vulnerabilities, apparently caused by lack of caching of certain queries. The bulletin also fixes two WPAD related vulnerabilities: "DNS Server Vulnerability in WPAD Registration" and "WPAD WINS Server Registration Vulnerability". Both vulnerabilities have been known for a long time, they are caused by the fact that a lot of organizations do not have WPAD servers. An attacker could register himself as the WPAD server at a WINS server or a DNS server (if dynamic updates are enabled) and start replying to WPAD requests. According to Microsoft the vulnerabilities are fixed by "modifying the way that Windows WINS servers responds to WPAD and ISATAP name resolution requests" and "modifying the way that Windows DNS servers respond to WPAD name resolution requests". I wonder what that means...