Microsoft, researcher spar over security patch

Microsoft has released a patch for the hole in 2000 and Windows Server 2003 and 2008 that could allow an attacker to redirect network traffic to a malicious site that has been set to act as a proxy.

Vulnerability, the value of critical by Microsoft, allows IT managers to set the Windows Proxy Auto-Discovery, or WPAD, entry in DNS. If IE or Firefox is configured to automatically detect settings, "the browser will be connected to a computer proxy.

This is a useful feature for companies that want to set their own proxy servers and to monitor employees' Web use for security purposes. But also can be used for a man-in-the-middle type of attack if the outside is able to set the WPAD entry through dynamic DNS update so that traffic is diverted to the IP address dangerous.

The patch solves the problem for systems without a WPAD entry in DNS, by request to block the WPAD for the future. But for the WPAD entry system, the patch did not do anything.

IT managers who install the patch can provide a false sense of security that compromised the system has been set, "said Tyler Reguly, the security research engineer at nCircle, who contacted Microsoft and write a blog post about his concerns with the same night that Microsoft released the update.

In a blog post the next day, Reguly said a Microsoft representative to select him to leave the companies that have touched the WPAD entry is not possible to distinguish legitimate WPAD entries from that taken by an attacker.

But at least Microsoft could have included a pop-up message in the example, the user has a warning that the WPAD DNS entry, and even ask if they want to save or block it, Reguly said.

"I understand the need to maintain the function, but not at the cost of sweeping security issues under the rug," he wrote.

Answers to this problem, Microsoft issued a more detailed technical note on the update on Friday said that the company will not interfere with the function and choose not to violate any risk administrator configuration on the likelihood that the WPAD is not valid, even if it means that an attack will continue to apply.

"This scenario is not a security update, or security update released by Microsoft aims to address," said Microsoft notes. "Security update is intended to help protect the system against the exploitation of the future, and does not aim to cancel any of the attacks have occurred in the past."

Notes and then give instructions for how an administrator can validate the IP address assigned to the WPAD entry in DNS.

In an interview on Friday, Reguly still disappointed with Microsoft and implemented to correct the problem.

"They can be done to reduce the things the fact that they prefer the security function," he said. "They can also change DNS so that you can not update the WPAD dynamic."