Microsoft is investigating a bug in Windows that allows hackers to use a web flaw to attack users.
The vulnerability stems from the way Windows resolves hostnames that do not include a fully qualified domain name (FQDN).
The Windows technology that the vulnerability affects is Web Proxy Auto-Discovery (WPAD). Customers whose domain name begins in a third-level or deeper domain, such as "contoso.co.us" are at risk.
The WPAD feature enables web clients to automatically detect proxy settings without user intervention. The WPAD feature adds the hostname "wpad" to the fully-qualified domain name and progressively removes subdomains until it finds a WPAD server answering the domain name.
A malicious user could host a WPAD server, potentially establishing it as a proxy server to conduct man-in-the-middle attacks against customers whose domains are registered as a subdomain to a second-level domain (SLD).
Customers who do not have a primary DNS suffix configured on their system are not affected by this vulnerability. In most cases, home users that are not members of a domain have no primary DNS suffix configured.
Connection-specific DNS suffixes may be provided by some Internet Service Providers (ISPs), and these configurations are not affected by the vulnerability either.
Microsoft goes on to list a number of other scenarios where users are not affected in an advisory.
Customers can also disable "Automatically Detect Settings" in Internet Explorer to avoid any risk.
Microsoft said it was considering issuing a security patch to fix the problem. The next round of monthly security patches from Redmond are due next Tuesday (11 December).