aPAColypse The WPAD and PAC Exploits

A recent set of vulnerabilities (known as aPAColypse) related to Web Proxy Auto Discovery Protocol (WPAD) and Proxy Auto-Config (PAC) have been discovered.

WPAD and PAC are tied to how web browsers handle HTTPS and HTTP requests. PAC files specifically contain JavaScript instructions that tell a browser what proxy to use in order to get to a certain website. If an attacker were to successfully inject their own malicious PAC file, they would be able to monitor the victim’s traffic whenever a browser request is made. The vulnerabilities allow an attacker to execute untrusted JavaScript files on a system. This in turn, allows an attacker to gain remote command execution.

Several vulnerabilities are used in conjunction and can affect a fully patched Windows 10 system.

Affected Platforms : Microsoft Internet Explorer – All Versions

Resolution:

Disable the WPAD service in Internet Explorer or use an alternative browser.

Disable the “WinHttpAutoProxySvc” service. This is not recommended unless an alternative is in place. Sometimes this can’t be done in the Services UI (“Startup type” control will be grayed out) due to other services depending on WPAD, but it can be done via the corresponding registry entry. Under “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinHttpAutoProxySvc” change the value of “Start” from 3 (manual) to 4 (disabled).