Severity rating


Discovered date

Attack vector

Authentication required

Public exploits available

Signature detection

On this page


A man-in-the-middle attack vulnerability exists in Windows WINS servers. This vulnerability could allow a remote authenticated attacker to spoof a web proxy and thereby redirect Internet traffic to an address of the attacker’s choice.


An attacker who has successfully exploited this vulnerability could spoof the legitimate web proxy or ISATAP route and intercept or redirect Internet traffic.

Technical details (analysis)

The Web Proxy Auto-Discovery (WPAD) feature enables web clients to automatically detect proxy settings without user intervention. The WPAD feature prepends the hostname "wpad" to the fully-qualified domain name and progressively removes subdomains until it finds a WPAD server answering the domain name. The Windows WINS server does not correctly validate who can register WPAD or ISATAP entries on the WINS server. By default a WINS server will allow any user to create a registration in the WINS database for WPAD or ISATAP if the name registration does not already exist. If an attacker registers WPAD or ISATP in the WINS database and points it to an IP address they control, it would allow the attacker to conduct man-in-the-middle (MITM) attacks against any browsers configured to use WPAD to discover proxy server settings.

Affected software

DNS server on Microsoft Windows 2000 Server Service Pack 4
DNS server on Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2
DNS server on Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition Service Pack 2
DNS server on Windows Server 2003 with SP1 for Itanium-based Systems and Windows Server 2003 with SP2 for Itanium-based Systems
DNS server on Windows Server 2008 for 32-bit Systems
DNS server on Windows Server 2008 for x64-based Systems

Non-affected software

All applications not on the affected list



NIS signature

Name: Policy:Win/WINS.WPAD.MITM!CVE-2009-0094
Release Date: 2009-03-10T00:00:00

Known false positives

The signature detects a certain type of malicious default behaviour of DNS servers. If you have already applied the patch, any triggers of this signature should be ignored.


Create a WPAD.DAT Proxy Auto Configuration File on a Host Named WPAD in Your Organization to Direct Web Browsers to Your Organization’s Proxy