COMMAND

    Internet Explorer

SYSTEMS AFFECTED

    IE5

PROBLEM

    Tim  Adam  found  following.   The  IE  5 Web Proxy Auto-Discovery
    (WPAD) feature enables web  clients to automatically detect  proxy
    settings without  user intervention.  The algorithm  used by  WPAD
    prepends the  hostname "wpad"  to the  fully-qualified domain name
    and progressively removes subdomains until it either finds a  WPAD
    server answering the hostname  or reaches the third-level  domain.
    For instance,  web clients  in the  domain a.b.microsoft.com would
    query     wpad.a.b.microsoft,      wpad.b.microsoft.com,      then
    wpad.microsoft.com.     A   vulnerability   arises   because    in
    international usage,  the third-level  domain may  not be trusted.
    A  malicious  user  could  set  up  a  WPAD server and serve proxy
    configuration commands of his or her choice.

SOLUTION

    The vulnerability is eliminated by IE 5.01, which is available at:

        http://www.microsoft.com/windows/ie/download/all.htm?bShowPage
        http://www.microsoft.com/msdownload/iebuild/ie501_win32/en/ie501_win32.htm