Security Research & Defense

Information from Microsoft about vulnerabilities, mitigations and workarounds, active attacks, security research, tools and guidance

November, 2012

  • MS12-074: Addressing a vulnerability in WPAD’s PAC file handling

    Today we released MS12-074, addressing a Critical class vulnerability in the .NET Framework that could potentially allow remote code execution with no user interaction. This particular CVE, CVE-2012-4776, could allow an attacker on a local network to host a malicious WPAD PAC file containing script code which could be executed on a victim machine without requiring any type of authentication or user interaction. To help you assess and mitigate the risk this vulnerability poses in your environment, we’d like to explain each of elements of a successful attack and list the potential workarounds and countermeasures.

    First, an attacker would need to act as the authoritative proxy auto-configuration file server for your network. One way this could happen is if an attacker is able to register the hostname WPAD on your network. Alternately, an attacker present on your network segment could potentially act as a man-in-the-middle and respond to any WPAD queries for a legitimate proxy auto-configuration file server. Or, an attacker having the ability to spoof DHCP, DNS, or lower layer responses on your network segment can specify an arbitrary proxy auto-configuration file server directly.

    The second element necessary for this attack is an outbound request from a .NET application requesting the proxy auto-configuration file server. Simply launching the browser is not enough to trigger this vulnerability. An Internet-based attacker would have trouble triggering this outbound request because the common browser-based Internet Zone .NET application mechanisms have been disabled by default, as of MS11-044. However, if an attacker can lure a victim user to an Intranet Zone site they control, the attacker could potentially instantiate an XBAP-based application which would trigger the request. If a .NET application uses the default proxy settings of the system either implicitly or explicitly via the .NET WebRequest.DefaultWebProxy property, and the app.config default proxy setting is not present, the Internet Explorer proxy settings will be used. If the “Automatically Detect Settings” box (shown below) is checked in Internet Explorer’s Internet Options->Local Area Network (LAN) Settings, the system will use WPAD to try to find the configuration file when the default proxy lookup is requested by the .NET application.

    The third element necessary to trigger the vulnerability is the proxy auto-configuration file server responding with a PAC file containing malicious script code. If you are particularly concerned about this attack, you might consider inspecting PAC files for malicious script code.

    Workarounds and Countermeasures

    Installing the MS12-074 security update will comprehensively address this vulnerability. If you are unable to do so, you might consider other options to protect your machine from being exploited by this .NET vulnerability. The workaround list below is sorted by our recommended order of effectiveness:

    1) Explicitly set the proxy in .NET application’s code. This avoids default proxies at the application level.
    2) If not 1, provide an app.config file for your .NET app with the proxy explicitly set in it. This avoids default proxies at the application configuration level.
    3) If not 1 or 2 (because your .NET app MUST rely on a default proxy), uncheck "Automatically Detect Settings" and instead provide a location in "Use automatic configuration script" in IE Internet Options->Local Area Network (LAN) Settings, as shown above. This avoids WPAD entirely.
    4) If not 3, Register WPAD. See for details. This protects WPAD from being spoofed.

    The proxy configuration file is searched for in a sequence of steps, which can be found at

    We hope this blog post helped clarify the risk posed by this vulnerability to your network.  Please email us with any questions you might have at switech [at] Microsoft [dot] com.

    - Neil Sikka, MSRC Engineering

  • Assessing risk for the November 2012 security updates

    Today we released six security bulletins addressing 19 CVE’s. Four of the bulletins have a maximum severity rating of Critical, one has a maximum severity rating of Important, and one has a maximum severity rating of Moderate. We hope that the table below helps you prioritize the deployment of the updates appropriately for your environment.

    Bulletin Most likely attack vector Max Bulletin Severity Max Exploit-ability Index Rating Likely first 30 days impact Platform mitigations and key notes
    (Internet Explorer)
    Victim browses to a malicious webpage. Critical 1 Likely to see reliable exploits developed within next 30 days. Internet Explorer versions 6, 7, 8, and 10 not affected. Only affects Internet Explorer 9.

    (Windows drivers [win32k.sys])

    Most likely attack vector is an attacker who is already running code on a machine uses one of these vulnerabilities to elevate from low-privileged account to SYSTEM. Critical 1 Likely to see an exploit released granting a local attacker SYSTEM level access. Two of the three CVE’s usable for local elevation of privilege only.

    The third (CVE-2012-2897) has a theoretical remote code execution attack vector in that TTF fonts can be embedded in both Office documents and PDF files and are also rendered by third party browsers. However, we have been unable trigger this particular vulnerable code path via any remote attack vectors in our experiments.


    (.NET Framework)

    Attacker on the local intranet able to respond to requests initiated by a .NET Framework application sent to the proxy server (or to a host named wpad when proxy server is unspecified) supplies a PAC file containing malicious Javascript which is executed on the victim workstation. Critical 1 Likely to see reliable exploits developed within next 30 days. CVE-2012-4776 is rated Critical due to the lack of user interaction required to trigger the vulnerability. However, realistic attack scenarios will likely require the proxy to be set to be automatically detected, will require the victim using a .NET application that leverages System.Net.WebRequest, and will likely require an attacker on the local intranet to host or man-in-the-middle the proxy response. You can read more detail about this vulnerability and the attack scenario here.

    (Windows Shell)

    Victim navigates to a malicious WebDAV or SMB share and previews a malicious Windows briefcase folder. Critical 1 Likely to see reliable exploits developed within next 30 days.  


    Victim opens a malicious .XLS file, resulting in potential code execution in the context of the logged-in user. Important 1 Likely to see reliable exploits developed within next 30 days. Excel 2013 not affected.

    (Internet Information Services [IIS])

    Attacker having access to IIS server’s operational log after an administrator has enabled Configuration Auditing may be able to access cleartext password of the user under which the IIS AppPool runs. Moderate N/A No chance for code execution. Likely to see descriptions of this information-disclosure vulnerability publicly within next 30 days. Non-default scenario for IIS 7.5 and later server.

    Info disclosure only. No code execution.

    - Jonathan Ness, MSRC Engineering