Microsoft Security Bulletin (MS99-054):Frequently Asked Questions
What's this bulletin about?
This bulletin announces the availability of a patch that eliminates a vulnerability in Microsoft® Internet Explorer 5. The vulnerability could allow a malicious user to change the configuration of web browsers within a network. Microsoft takes security seriously, and is providing the bulletin to inform customers of the vulnerability and what they can do about it.
What's the scope of the vulnerability?
The vulnerability could allow a malicious user to set up a server that provides bogus proxy server settings for a network. (In some cases, it could allow the user to provide bogus settings to multiple networks). By controlling the proxy settings that are used by a network, the malicious user could cause the network's web clients to use his or her own site as a gateway, thereby giving him or her the opportunity to read data as it traversed the site.
It's important to note that only web traffic could be re-rerouted via this vulnerability. Other traffic, such as email or network traffic, would not be affected. Also, if SSL were used to encrypt the web traffic, the malicious user would be unable to decrypt it even if he or she could re-route it through their site.
What is the vulnerability?
A feature introduced in IE 5, Web Proxy Auto-Detect (WPAD), allows web clients to find and load proxy configuration information from a server. The vulnerability results because the algorithm that determines the order in which domains are searched doesn't correctly handle some international cases.
What is WPAD?
WPAD allows IE 5 to automatically detect a server that will supply it with proxy server configuration settings. The purpose of the feature is to avoid the need to configure every web client in a network separately - instead, a single server in the network can provide the settings to all of the clients on the network.
What's the problem with the search algorithm?
When IE 5 starts, it will begin searching for a WPAD server, if it is configured to use WPAD. It starts the search by adding the hostname "WPAD" to current fully-qualified domain name. For instance, a client in a.b.Microsoft.com would search for a WPAD server at wpad.a.b.microsoft.com. If it could not locate one, it would remove the bottom-most domain and try again; for instance, it would try wpad.b.microsoft.com next. IE 5 would stop searching when it found a WPAD server or reached the third-level domain, wpad.microsoft.com.
The algorithm stops at the third level in order to not search outside of the current network. However, for international sites, this is not sufficient, because third-level domains can be outside the current network. For example, if the network at xyz.com.au did not have a WPAD server, the search algorithm eventually would reach wpad.com.au, which is an external network name. If the owner of wpad.com.au set up a WPAD server, he or she could provide chosen proxy server configuration settings to the clients at xyz.com.au. For that matter, any network in com.au that didn't have its own WPAD server but did have WPAD enabled in its web clients also would also resolve to wpad.com.au.
What could a bogus WPAD server do?
A bogus WPAD server could provide arbitrary proxy server settings to web clients. In the simplest case, it could simply feed invalid ones to the clients, as a denial of service attack. However, in a more sophisticated attack, a bogus WPAD server could establish itself as a gateway for the network, thereby causing the network to route outgoing traffic through the hostile user's site. This could allow the hostile user to eavesdrop on the network's web browser traffic.
What kind of data could be re-routed through this vulnerability?
Only web traffic. It would not enable a malicious user to route email data through his or her site, nor could it be used to route network traffic externally.
Would SSL-encrypted web traffic be at risk?
Although web traffic, including SSL-encrypted web traffic, could be re-routed through the malicious user's site via this vulnerability, it would not provide the malicious user with a way to decrypt it.
Is WPAD enabled by default in IE 5?
Yes.
How does IE 5.01 eliminate the vulnerability?
IE 5.01 has a more robust search algorithm that does not blindly search third-level domains. Instead, it searches third-level domains only when appropriate.
Are there any other ways to protect against the vulnerability?
Yes. The WPAD search algorithm will stop as soon as it finds a server that answers one of the search domains. One way to ensure that the search never tries a third-level domain is to configure a server to answer at some point before then. For example, as long as wpad.xyz.com.au resolved, the search would never reach wpad.com.au.
I have IE 4. Am I affected by the vulnerability?
No. The WPAD feature was introduced in IE 5, and this vulnerability does not affect any other versions of IE.
Where can I get IE 5.01?
The download location for IE 5.01 is provided in the "Patch Availability" section of the security bulletin.
How can I tell if I installed IE 5.01 correctly?
In the Internet Explorer command menu, select "Help", then "About Internet Explorer". If IE 5.01 is installed, the version number will be 5.00.2919.6307.
What is Microsoft doing about this issue?
• | Microsoft has developed a version upgrade that eliminates the vulnerability. |
• | Microsoft has provided a security bulletin and this FAQ to provide customers with a detailed understanding of the vulnerability and the patch. |
• | Microsoft has sent copies of the security bulletin to all subscribers to the Microsoft Product Security Notification Service, a free e-mail service that customers can use to stay up to date with Microsoft security bulletins. |
• | Microsoft has issued a Knowledge Base article explaining the vulnerability and patch in more detail. |
Where can I learn more about best practices for security?
The Microsoft Security Advisor web site is the best to place to get information about Microsoft security.
How do I get technical support on this issue?
Microsoft Technical Support can provide assistance with this or any other product support issue.
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.