Eight-year-old Windows name resolution exploit re-emerges

By Scott M. Fulton, III, BetaNews

December 4, 2007, 11:25 AM

Microsoft acknowledged the discovery of an exploitable bug in the way one of its services handles domain name resolution -- a bug it thought it fixed in 1999.

At a so-called "ethical hacker conference" in New Zealand last week, a programmer named Beau Butler revealed a method whereby a malicious user could intercept and re-route Internet traffic throughout a network, using a man-in-the-middle-attack. The method involved being able to masquerade as something called Web Proxy Auto-Discovery Protocol (WDAP), whose purpose is to automatically detect whether a system utilizes proxies for domains higher than the second level (e.g., fileforum.betanews.com).

WDAP does this by adding wdap. to the front of domain names in the network, starting with the highest order names and then working backwards until it reaches the second level, and then pinging each name until it gets a response. If it does, it then communicates with the WDAP service at that level.

The man-in-the-middle attack is quite simple: By pretending to be WDAP, a malicious service can pretend to be resolving the domain name to something else entirely, creating an easy denial-of-service situation.

Microsoft thought it had solved this problem in 1999, and at one level, it actually had. But as Butler discovered, the fix the company had deployed only enabled malicious middlemen to be discovered for networks using the .com TLD. For any other TLD, the exploit was wide open -- including for Butler's home country TLD, .nz.

Yesterday, Microsoft issued a security advisory acknowledging the flaw, but treating it with kid gloves as though it were recently discovered. It impacts Windows versions dating back to Windows 2000 SP4 and Windows XP SP2, and users of all versions of Internet Explorer dating back to 5.01. But while the company credited Butler with the discovery, it gingerly avoided any mention of the exploit's age.

Thus once again, security blogs that picked up the Microsoft advisory and dubbed it another "zero-day" may want to re-investigate this exploit's history. And it's also worth noting that, while there continues to be healthy debate over the design flaws that continue to affect Windows services, this particular one lay in waiting for about eight years, only to be re-discovered by someone whose interests were in spotlighting and correcting the problem. It says something about the complexion of the modern malicious user community.

Security firm Secunia this morning rates the exploit as "less critical."