Article ID: 247333 - Last Review: January 25, 2007 - Revision: 4.1

Web Proxy Auto-Discovery "Spoofing" May Change Proxy Settings

Retired KB ArticleRetired KB Content Disclaimer
View products that this article applies to.
System TipThis article applies to a different operating system than the one you are using. Article content that may not be relevant to you is disabled.
This article was previously published under Q247333
Expand all | Collapse all

SYMPTOMS

The Internet Explorer version 5 Web Proxy Auto-Discovery (WPAD) feature enables Web clients to automatically detect proxy settings without user intervention. The algorithm used by WPAD adds the subdomain "wpad" to the beginning of the fully-qualified domain name and progressively removes subdomains until it either finds a WPAD server answering the domain name or reaches the third-level domain. For example, Web clients in the a.b.microsoft.com domain would query wpad.a.b.microsoft, wpad.b.microsoft.com, and then wpad.microsoft.com. A vulnerability exists if the third-level domain is not a trusted domain. A malicious user could set up a WPAD server and serve proxy configuration commands of his or her choice.
Back to the top

CAUSE

WPAD is a feature introduced in Internet Explorer 5 that allows Web clients to find and load proxy configuration information from a server. The algorithm that determines the order in which domains are searched for this information may not handle some cases correctly.
Back to the top

RESOLUTION

To resolve this problem, obtain the latest service pack for Internet Explorer version 5.01. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
267954  (http://support.microsoft.com/kb/267954/EN-US/ ) How to Obtain the Latest Internet Explorer 5.01 Service Pack
On December 01, 1999, Microsoft released a security bulletin to the following web site announcing that Microsoft had released a version upgrade (Internet Explorer 5.01) that eliminates this vulnerability:
http://www.microsoft.com/technet/security/bulletin/ms99-054.mspx (http://www.microsoft.com/technet/security/bulletin/ms99-054.mspx)
Microsoft has since become aware of a variant to this exploit that is not eliminated by Internet Explorer 5.01. On May 18, Microsoft released a comprehensive patch to eliminate this vulnerability (and three other vulnerabilities). For additional information about resolving this problem, click the article number below to view the article in the Microsoft Knowledge Base:
262509  (http://support.microsoft.com/kb/262509/EN-US/ ) Patch Available for "Frame Domain Verification", "Unauthorized Cookie Access", "Malformed Component Attribute", and "WPAD Spoofing" Vulnerabilities
Back to the top

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article. This problem was first corrected in Internet Explorer version 5.01 Service Pack 1.
Back to the top

MORE INFORMATION

For related information about this problem, please visit the following Microsoft Web site:
http://www.microsoft.com/technet/security/bulletin/ms99-035.mspx (http://www.microsoft.com/technet/security/bulletin/ms99-035.mspx)

http://www.microsoft.com/technet/security/bulletin/ms99-054.mspx (http://www.microsoft.com/technet/security/bulletin/ms99-054.mspx)
For additional security-related information about Microsoft products, please visit the following Microsoft Web site:
http://www.microsoft.com/technet/security/ (http://www.microsoft.com/technet/security/)
Back to the top
APPLIES TO
  • Microsoft Internet Explorer 5.0
  • Microsoft Internet Explorer 5.0
  • Microsoft Internet Explorer 5.0
Back to the top
Keywords: 
kbbug kbenv kbfix kbie501presp1fix KB247333
Back to the top
Retired KB ArticleRetired KB Content Disclaimer
This article was written about products for which Microsoft no longer offers support. Therefore, this article is offered "as is" and will no longer be updated.
Back to the top