Wednesday, December 5, 2007

Windows DNS Flaw Is Back

Microsoft said Monday that a flaw in the way its Windows operating system looks up other computers on the Internet has resurfaced and could expose some customers to online attacks.

The flaw primarily affects corporate users outside of the United States. It could theoretically be exploited by attackers to silently redirect a victim to a malicious website.

Microsoft originally patched this flaw in 1999, but it was rediscovered recently in later versions of Windows and was then publicized at a recent hacker conference in New Zealand.

The bug has to do with the way Windows systems look for DNS (Directory Name Service) information under certain configurations.

Any version of Windows could theoretically be affected by the flaw, but Microsoft issued an advisory Monday explaining which Windows configurations are at risk and offering some possible workarounds for customers. The company said it is working to release a security patch for the problem.

Here's how the attack would work: When a Windows system is specially configured with its own DNS Suffix it will automatically search the network for DNS information on a Web Proxy Auto-Discovery (WPAD) server. Typically this server would be a trusted machine, running on the victim's own network.

WPAD servers are used to cut down on the manual configuration required to get Windows systems working on the network. DNS suffixes are used to associate computers with certain domains of the network and to simplify administration.

To make it easier for the PC to find a WPAD server, Windows uses a technique called DNS devolution to search the network for the server. For example, if an IDG PC was given a DNS suffix of corp.idg.co.uk, it would automatically look for a WPAD server at wpad.corp.idg.co.uk. If that failed, it would try wpad.idg.co.uk and then wpad.co.uk. And that's where the problem lies: by looking for DNS information on wpad.co.uk, the Windows machine has now left the IDG network and is doing a DNS look-up on an untrusted PC.

This flaw only affects customers whose domain names begin with a "third-level or deeper" domain, meaning that even with the DNS suffix, users on networks like idg.com or dhs.gov are not affected.

Attackers who registered "wpad" domains within second-level domains such as co.uk or co.nz could redirect victims to malicious Websites without their knowledge, something called a "man in the middle" attack. A victim might think he was visiting his bank's Website, but in reality, he could be sent to a phishing site.

No comments: