To print: Click here or Select File and then Print from your browser's menu

This story was printed from silicon.com, located at http://www.silicon.com/

Story URL: http://software.silicon.com/security/0,39024655,39166532,00.htm

IE lets attackers hijack network traffic
Proxy-settings kerfuffle

By Joris Evers

Published: Monday 26 March 2007

A problem in the way Windows PCs obtain network settings could let attackers hijack traffic, security researchers said Saturday.

The problem occurs because of a design bug in the system used by Windows PCs to obtain proxy settings, researchers with security firm IOActive said at the ShmooCon hacker conference in Washington, DC. As a result, an attacker with access to a network, for example, at a corporation could insert a malicious proxy and see all the traffic, the researchers said.

Chris Paget, director of research and development at IOActive, said in an interview after his presentation on the problem: "The upshot of it is that I can become your proxy server without you knowing about it. I can put up the equivalent of a detour sign on your network and redirect all the traffic."

An attacker can set up that "detour sign" because Internet Explorer on Windows PCs by default searches for a proxy server using the Web Proxy Autodiscovery Protocol, or WPAD, Paget said. It turns out that an attacker can easily register a proxy server on a network using the Windows Internet Naming Service (WINS) and other network services including the Domain Name System, or DNS, he said.

Paget said: "When IE starts up, it will ask the network where its proxy server is. It is really easy to put up your hand and say: 'Here I am.'"

Microsoft acknowledges the problem in a support article published Saturday on its TechNet website. Microsoft said in its support article: "If an entity can surreptitiously register a WPAD entry in DNS or in WINS... clients may be able to route their internet traffic through a malicious proxy server."

Joris Evers writes for CNET News.com