Microsoft Fixes IE 5 Bug
- By Scott Bekker
- December 02, 1999
Microsoft has released a version upgrade that eliminates a vulnerability in Internet Explorer 5. Under certain conditions, the vulnerability could allow a malicious user to porvide proxy settings to Web clients in another network.
The Internet Explorer 5 Web Proxy Auto-Discovery (WPAD) feature enables Web clients to automatically detect proxy settings without user intervention. The algorithm used by WPAD adds the hostname "wpad" as a prefix to the fully-qualified domain name and progressively removes subdomains until it either finds a WPAD server answering the hostname or reaches the third-level domain. For instance, Web clients in the domain a.b.domain.com would query wpad.a.b.domain, wpad.b.domain.com, then wpad.domain.com. The vulnerability arises because in international usage, the third-level domain may not be trusted. A malicious user could set up a WPAD server and serve proxy configuration commands of his choice.
Microsoft Internet Explorer 5 is known to be affected by this vulnerability. The vulnerability is eliminated by Internet Explorer 5.01, which is available at http://www.microsoft.com/msdownload/iebuild/ie501_win32/en/ie501_win32.htm.
Scott Bekker is editor in chief of Redmond Channel Partner magazine.