In order to be able to carry out remote command execution on a targeted machine, the WPAD/PAC attack chains several vulnerabilities together, that relate to the Microsoft JScript.dll file and the PAC.
Project Zero researchers uncovered 7 vulnerabilities in total, which have all since been patched.
The authors of the post noted that WPAD (“Web Proxy Auto Discovery Protocol”), in particular PAC (“Proxy-Auto-Config”) are “oddities”… “engineering decisions… made with imperfect information and under time pressure”.
PAC was coupled with WPAD – a protocol that means the browser does not need to connect to a pre-configured server. Security researchers have warned about the dangers of WPAD in relation to potential threats before, particularly with regards to Windows (as it enables WPAD by default).
Holes of various sizes have been found in WPAD from an “UNHOLY PAC” (which was used by a hacker to intercept private and one-time-use URLs that contain security tokens used for shared access to services) to a man-in-the-middle style attack (that allowed attackers to monitor the full HTTPS URLs of every web request a browser makes).
Researchers recommend that Microsoft users disable the default for WPAD and sandbox the Jscript interpreter inside the WPAD service.