Newsletter Archives

  • Project Zero: Watch out for Web Proxy Auto-Discovery

    What is WPAD? Easy question, long answer. Google’s Project Zero just posted a scary evaluation:

    (With WPAD) every Windows machine will ask the local network: “Hey, where can I find a Javascript file to execute?”… WPAD allows the computer to query the local network to determine the server from which to load the PAC file… The browser connects to a pre-configured server, downloads the PAC file, and executes a particular Javascript function to determine proper proxy configuration.

    And… you guessed it… the PAC file can contain all sorts of compromising programs.

    Windows is certainly not the only piece of software that implements WPAD. Other operating systems and applications do as well. For example Google Chrome also has a WPAD implementation, but in Chrome’s case, evaluating the JavaScript code from the PAC file happens inside a sandbox. And other operating systems that support WPAD don’t enable it by default. This is why Windows is currently the most interesting target for this sort of attack.

    The Project Zero people proceed to discuss many different nightmare scenarios. Oh boy.