Disable WPAD Now or Have Your Accounts Compromised, Researchers Warn (csoonline.com) 75
It's enabled by default on Windows (and supported by other operating systems) -- but now security researchers are warning that "Man-in-the-middle attackers can abuse the WPAD protocol to hijack people's online accounts and steal their sensitive information even when they access websites over encrypted HTTPS or VPN connections," according to CSO. Slashdot reader itwbennett writes: Their advice: disable WPAD now. "No seriously, turn off WPAD!" one of their presentation slides said. "If you still need to use PAC files, turn off WPAD and configure an explicit URL for your PAC script; and serve it over HTTPS or from a local file"... A few days before their presentation, two other researchers named Itzik Kotler and Amit Klein independently showed the same HTTPS URL leak via malicious PACs in a presentation at the Black Hat security conference. A third researcher, Maxim Goncharov, held a separate Black Hat talk about WPAD security risks, entitled BadWPAD.
No How To?? (Score:5, Informative)
To prevent Windows from tracking which network support WPAD, you need to make a simple registry change:
Click the Start button, and in the search field, type in "regedit", then select "regedit.exe" from the list of results
Navigate through the tree to "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad"
Once you have the "Wpad" folder selected, right click in the right pane, and click on "New -> DWORD (32-Bit Value)"
Name this new value "WpadOverride"
Double click the new "WpadOverride" value to edit it
In the "Value data" field, replace the "0" with a "1", then click "OK"
Reboot the computer
Re:No How To?? (Score:5, Informative)
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad]
"WpadOverride"=dword:00000001
Re: No How To?? (Score:4, Informative)
You don't need to mess around in the registry and reboot.
All you have to do is go into Internet Options (control panel) > Connections > LAN Settings
Uncheck the top box labeled Automatically detect settings.
There are GPOs for this as well. And this is not anything close to news. Most companies already disable this in Group Policy because it barely works and is obviously horrifically insecure to anyone that even starts to look into how it works.
Re: (Score:2)
To remediate the risks, you can simply require that your users always use VPN back to corpnet and don't browse the web on untrusted networks such as hotels, airports, coffee shops and the like.
'Don't use untrusted networks' Giggle. Snort. Cough.
Re: (Score:2)
Or better, consider every network to be untrusted. No nasty surprises this way.
Re: (Score:2)
I assume by "barely works" you mean works great, right? Because it does - work great that is. We've used it for at least 18 years with great success. .
For the same reason that Password1 is popular.
Re: (Score:2)
Re: (Score:1)
Yeah, seriously. Telling people that you are at risk of account compromise unless you do "X" and then giving zero instructions on how to do "X" is pretty terrible.
I did Google for instructions on how to disable Wpad and found the registry setting mentioned above, but it didn't seem clear whether that was sufficient. The instructions below saying "This should work for most users" just add to the confusion.
Re: (Score:2)
Re: (Score:1)
When I tried to go to the illustrated panel, it looked totally different on my Windows 7 PC. Does it look the same on your PC? What version of Windows does that illustration apply to?
Re: (Score:1)
Also from what I can tell this is a local network attack.
So if you never take your computer of your home network dont panic too much.
If you plug your computer into remote networks (your local bistro, etc) this could be an issue.
This sort of attack has been known for awhile with pac files. I was considering setting up this very thing on my home network. But I quickly figured out it was an easy way for someone to inject javascript into every web page I am on. Pac files have pretty much full control of ever
Re: (Score:3)
To prevent Windows from tracking which network support WPAD, you need to make a simple registry change:
That's the method that Grandma uses.
Re: (Score:2)
Grandma rocks!
Re: (Score:2)
Grandma rocks!
And don't take no crap from anyone either.
Re: (Score:1)
My grandma is Grace Murray Hopper, you insensitive clod
Err ... she didn't have any children.
That's a shame. Really. We need her DNA. 8-)
Re: (Score:1)
If you want to do this in a single command, or batch file, I believe this will do the same: /f /v "WpadOverride" /t REG_DWORD /d 1
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad"
Caveat: I'm more of a Linux guy, but with stack overflow and some trial and error, this worked on my Win10 system.
Googling does not tell me how to turn it off. (Score:1)
Re: (Score:2)
For Windows 7 Ultimate SP1 64-bit:
sc config WinHttpAutoProxySvc start= disabled
C:\WINDOWS\system32>sc stop WinHttpAutoProxySvc
[SC] ControlService FAILED 1051:
A stop control has been sent to a service that other running services are dependent on.
WPAD? (Score:5, Informative)
If you were finding the summary to be less than clear on WTF it was referring to.. WPAD = Web Proxy Autodiscovery Protocol.
Re: WPAD? (Score:1)
Maybe, I hear no doesn't mean no on windows anymore so...
Re: (Score:2)
If you use a proxy and you don't have to configure windows to use it, this won't work anymore.
But since you're asking that question, I somewhat doubt that you have a proxy configured, and configured in such a way that it uses WPAD. In other words, turn that shit off, if nothing else, it's one less useless service clogging your machine.
Re: (Score:2)
So the acronym for WPAP IS WPAD? I guess it should be more like Web Proxy AutoDiscovery protocol
Yes and yes.
Re:WPAD? The Name Says It All (Score:1)
I've done well over the past 20 years by just looking for marketingspeak and deactivating pre-emptively.
Insert a CD or device and then manually run SETUP.EXE? Fine. Insert a CD and let Autorun do it? Presume insecure. Disable.
DHCP is "Dynamic Host Configuration Protocol." No marketing name, but it works just fine and automagically gets me an IP. Something like Web Proxy Auto Disco
Re: (Score:3)
You have done well Glasshopper.
Re: (Score:2)
Same here. It's always been autoproxy to me. I Googled, which the summary writer didn't.
Re: (Score:2)
Is this advice for Windows 10? Windows 8? Windows 7? Windows Vista? Windows XP? Windows NT? Windows 2000? Windows 98? Windows 95? Windows ME?
Also Linux, iOS, Palm Pilot and KA9Q. The problem is in the protocol blindly fetching javascript and running it. Blame Netscape.
Re: (Score:3)
Everything I've found says that it is not enabled by default in GNU/Linux or iOS.
Right. It isn't. The common scenario is your work laptop that has it configured in order to find the company proxy, but when outside that network, it will reach out and pick up anything proffered up with the same name.
Re: (Score:2)
It is one of the reasons I stopped using my work laptop outside of work, except at home on the VPN.
Re: (Score:2)
It isn't ... on what distribution? Do you really feel lucky and able to claim that it isn't for ALL distris out there?
Re: (Score:2)
It probably is in your browser.
There are two variants:
a) via DHCP. Then your os needs to do stuff
b) Via DNS. Then your browser implements it. (Or your OS could do stuff, like setting environment variables).
I think the attack is about the DNS variant only.
Re: (Score:2)
Yes. And 8, 8.1, 10, ... all and any of them. The how to is in the top post.
Re: (Score:1)
Are there chances that this is the weakness being used to track down Tor users who are using Windows OS?
What about Macs? (Score:2)
Is there any such setting to disable on OS X/macOS?
How to turn off WPAD (Score:4, Informative)
This should work for most users:
1. Uncheck “Automatically detect settings” of Local Area Network (LAN) Settings in Internet Options.
2. Disable the service “WinHTTP Web Proxy Auto-Discovery Service” in Services.
3. Disable devolution by setting UseDomainNameDevolution value under the following registry entry to 0 (FALSE):
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters
Re: (Score:3)
Re: (Score:2)
Disabling domain devolution is not necessary and will break short-name resolution on domain joined machines where NetBIOS and WINS are disabled.
Thank you for pointing that out. (I'm not using a domain-joined PC myself but I'm sure lots of other people here are.)
Re: (Score:1)
How is this better or different from the single-step option of setting the WpadOverride registry key to "1"? And since you say this "should work for most users", what users will it not work for?
It is unfortunate that the original article didn't explain this carefully (or at all, actually).
Re: (Score:2)
How is this better or different from the single-step option of setting the WpadOverride registry key to "1"?
I don't know. Perhaps someone more savvy with WPAD than I can comment.
-
And since you say this "should work for most users", what users will it not work for?
As EvilSS mentioned, "disabling domain devolution is not necessary and will break short-name resolution on domain joined machines where NetBIOS and WINS are disabled". So I would guess it won't work for users with that environment.
Has anyone made a small program to disable this? (Score:1)
Blackhat PDF's LOL (Score:1)
Article links to 2 PDF's hosted by Blackhat. Can't wait to read em!
Overhyped? (Score:2)
Re: (Score:1)
Because you might at first read this as an attack on HTTPS, I can understand why you're skeptical.
This is however not an attack on HTTPS. Instead, what happens is that if WPAD is enabled, your browser tries (when it connects to a new network) to locate a computer named WPAD, through various ways ultimately falling back on the NetBIOS name, which users are on most networks free to specify themselves.
From this WPAD computer it downloads a bit of JavaScript, which must provide the browser with a function calle
8 year old news, but sadly still relevant (Score:3, Interesting)
Linux HOWTO (Score:2)
http://maximumhoyt.blogspot.co... [blogspot.com]
Re: (Score:2)
I think the guy is mixing up two different invulnerabilities. The one is about intercepting connections by sending a lot of ack packets, the other one is about faulty resolution of the dns-name for the wpad server.
At what point does all this become... (Score:4, Insightful)
OS X users? (Score:1)
Re: (Score:2)
It does not affect Mac OS X.
WPAD is used to lookup the server that then supplies the proxy auto config file (proxy.pac).
On Mac OS X, under System Preferences, Network, Advanced, Auto Proxy Configuration.
You would have to type in the location manually, rather than the system using WPAD to attempt to locate it by itself.
So, Mac OS X is not vulnerable to this.
Exploit overstated. APRC? (Score:2)
You can disable this via the registry DWORD (0) at HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\EnableAutoproxyResultCache.
https://support.microsoft.com/... [microsoft.com]