By Patrick Gray
December 4, 2007

Microsoft is releasing a patch for serious security vulnerability that allows lone attackers who register particular internet domain names to seize control of millions of computers. Ethical hacker and software engineer Beau Butler researched the bug and presented his findings to the inaugural Kiwicon security conference in Wellington, New Zealand, last month.

Microsoft was unaware of the bug until contacted by Next two weeks ago and has worked frantically to produce a fix. The glitch affects the way browser software attempts to automatically configure proxy settings and means millions of PCs around the world are attempting to download configuration information from the internet instead of their ISP.

By simply registering a special domain name an attacker could feed bogus configuration information to affected PCs, hijack their connections to the internet and seize control of them. Butler registered wpad.co.nz, which he says would have allowed him to hijack over 160,000 computers in New Zealand alone. The vast majority of browsers affected were Internet Explorer, but Butler says the glitch is also present in the open source Firefox browser.

The bug also means Australian computers attempt to download configuration information from domains including wpad.com.au. That domain is registered to John Walker, the managing director of Henge Systems, a technology consultancy and hosting provider that counts the Australian Federal Police and the Society for Worldwide Interbank Financial Telecommunication among its clients.

The Sydney Morning Herald
complete article