… when it doesn’t patch! That was an easy question, but Microsoft has a different opinion on this. In this blog post at 360 Security, Tyler Reguly explains why he thinks MS09-08 is not really a patch; it doesn’t actually fix the vulnerability that it is supposed to fix.

MS09-08 contains an update that “fixes” an issue with the way WPAD entries are stored. A WPAD file is used by Windows (or, at the very least, Internet Explorer) to automatically discover proxy settings. If your computer is in the zone example.com, it will look for a host named wpad.example.com and request the file wpad.dat from it via HTTP.

wpad

The problem is that the DNS entry for wpad.example.com can be updated by an attacker:

  1. Attacker sends Dynamic Update to set the wpad entry to a malicious target
  2. DNS Stores wpad entry
  3. Victim queries DNS and is provided the malicious wpad entry

If the attacker is able to specify a web proxy of his choice, he can easily eavesdrop on your web traffic. The problem with the patch provided by Microsoft is that it doesn’t actually fix this (hey, it’s a feature, not a bug!). Instead the patch installs a block list that contains DNS entries that are hidden. So if you didn’t have a WPAD entry in your DNS before installing the patch, it can’t be created via a dynamic update later.

However, this “fix” is broken on many levels:

  • It’s not a fix, it’s a workaround. The actual vulnerability still exists.
  • If you have even a single domain that has a WPAD entry, the fix will not work, since the block list is server-wide, and not per domain.
  • If you have a valid WPAD entry, it can still be overwritten.

nCircle says it this way:

To be fair, Microsoft did provide information about this (strictly speaking) – the advisory contains a Known Issues link that points to a knowledge base and that knowledge base contains a single line, halfway down the page to inform you that wpad and isatap entries won’t be created if they existed prior to the host being patchigated. It’s not directly referenced in the advisory, and the Known Issues” link wasn’t added until after I contacted Microsoft and wrote my initial blog post, but I digress …

I just tried to verify this, and it took me a while to locate the description even though I knew it had to be there. I mean, seriously, you’d think they would notify you of this in the main security advisory!

If you absolutely need to use WPAD, configure it using DHCP, remove all wpad entries from your DNS server, and only install the patch after you have done this. DHCP-provided WPAD entries have a higher priority than plain DNS entries, and you can point them to a host that has a different name than the default “wpad.yourdomain.com”. The correct DHCP option to use is option 252.