IE lets attackers hijack network traffic

A problem in the way Windows PCs obtain network settings could let attackers hijack traffic, security researchers said Saturday.

The problem occurs because of a design bug in the system used by Windows PCs to obtain proxy settings, researchers with security firm IOActive said at the ShmooCon hacker conference in Washington, DC. As a result, an attacker with access to a network, for example, at a corporation could insert a malicious proxy and see all the traffic, the researchers said.

Chris Paget, director of research and development at IOActive, said in an interview after his presentation on the problem: "The upshot of it is that I can become your proxy server without you knowing about it. I can put up the equivalent of a detour sign on your network and redirect all the traffic."

An attacker can set up that "detour sign" because Internet Explorer on Windows PCs by default searches for a proxy server using the Web Proxy Autodiscovery Protocol, or WPAD, Paget said. It turns out that an attacker can easily register a proxy server on a network using the Windows Internet Naming Service (WINS) and other network services including the Domain Name System, or DNS, he said.

Paget said: "When IE starts up, it will ask the network where its proxy server is. It is really easy to put up your hand and say: 'Here I am.'"

Microsoft acknowledges the problem in a support article published Saturday on its TechNet website. Microsoft said in its support article: "If an entity can surreptitiously register a WPAD entry in DNS or in WINS... clients may be able to route their internet traffic through a malicious proxy server."

Joris Evers writes for CNET News.com