Microsoft, researcher spar over security patch
Researcher complains that Microsoft patch fails to protect users, but Microsoft says doing things differently would have interfered with functionality.
, Microsoft released a patch for a hole in Windows 2000 and Server 2003 and 2008 that could allow an attacker to redirect network traffic to a malicious site that has been set to serve as a proxy.
The vulnerability, rated important by Microsoft, allows IT managers to set a Windows Proxy Auto-Discovery, or WPAD, entry in the DNS. If IE or Firefox are configured to "automatically detect settings," the browser will connect to the proxy machine.
This is a useful feature for corporations that want to set up their own proxy server for monitoring employee Web use and for security purposes. But it also could allow for a man-in-the-middle type of attack if an outsider were able to set the WPAD entry through a dynamic DNS update so that the traffic is diverted to a malicious IP address.
The patch solves the problem for systems with no WPAD entry in the DNS, by blocking future queries for WPAD. But for systems with a WPAD entry, the patch does nothing.
IT managers who install the patch could be given a false sense of security that any compromised systems have been fixed, said Tyler Reguly, senior security research engineer at nCircle, who contacted Microsoft and wrote a blog post about his concerns the same night Microsoft released its update.
In a blog post the following day, Reguly said a Microsoft representative told him the company chose to leave existing WPAD entries untouched because it is not possible to differentiate legitimate WPAD entries from ones loaded by an attacker.
But Microsoft could at least have included a pop-up message in that instance, warning users that the DNS has a WPAD entry, and maybe even ask if they want to keep it or block it, Reguly said.
"I understand the need to preserve functionality, but not at the cost of sweeping security issues under the rug," he wrote.
In response to the concerns, Microsoft issued a more detailed technical note on the update on Friday that said the company didn't want to impair functionality and chose not to risk breaking any administrator configurations in the possibility that the WPAD was not legitimate, even if it means an attack would continue to be effective.
"This is indeed not a scenario the security update, or any security update released by Microsoft aims to address," the Microsoft note says. "Security updates are intended to help protect the system against future exploitation, and don't aim to undo any attack that has taken place in the past."
The note then provides instructions for how an administrator can validate the IP address assigned to the WPAD entry in the DNS.
In a telephone interview with CNET News late on Friday, Reguly remained disappointed with how Microsoft implemented its fix for the problem.
"They could have done things to mitigate the fact that they chose function over security," he said. "They also could have modified DNS so you couldn't do dynamic updates with WPAD."