Telstra has revealed the addition of almost one million new mobile services in the six months to December 2011, but Sensis revenues plummeted 24 percent in 12 months.
The WPAD vulnerability was fixed some time ago for domains registered in top level domains such as .com and .net, but not - it turns out - for those in national and other second level domains such as .com.au or .co.nz.
The problem is in the way Windows' web proxy auto-discovery (WPAD) feature works. Using Microsoft's example to illustrate the process, a web client in the western.corp.contoso.co.us domaim would start by querying wpad.western.corp.contoso.co.us for a WPAD server. If that failed, it would try wpad.corp.contoso.co.us, and then wpad.contoso.co.us. So far, so good. But if that still fails, the next step is to try wpad.co.us, which is outside the organisation's domain.
This means someone registering wpad in a second level domain could set up a WPAD server that configures clients to use a proxy server under their control. That proxy would then provide its operator with a means of inspecting all the traffic flowing to and from those clients - a clear security issue.
wpad has already been registered in various namespaces, including .com.au, .co.nz and .co.uk.
The purpose of WPAD is to allow a web client to detect proxy settings without user intervention.
The vulnerability affects Windows 2000, XP, 2003 and Vista, and Internet Explorer 5, 6, and 7. Software from other vendors may also be affected if they use this feature.
Most home users would not have a primary DNS suffix configured, and so are not affected by the vulnerability, according to Microsoft.
While the company works to develop a patch for the problem, it suggests other customers take various protective measures including setting up a WPAD server within the organisation, configuring Internet Explorer so it does not attempt to automatically detect settings, disabling DNS devolution, and configuring a domain suffix search list.
David Bass
| For the fourth year in a row, IDC has placed content security provider Websense (NASDAQ: WBSN) at the top of the IDC Worldwide Web Security 2011 –…
How to Make Business Discovery Work for Your Business
Business Discovery takes its cues from consumer apps. Like Google, it encourages us- ers to hunt for and explore data without worrying about or even noticing the underly- ing technology. Their entire experience is working within an intuitive interface to get real-time, self-service results with only minimal training. ...more
Try an easy-to-use set of web-enabled
tools for business-class productivity services. Office 365 provides
anywhere-access to email, important documents, contacts, and calendars
on almost any device.
LATEST HEADLINES FROM YOUR IT
