WPAD: Windows Proxy Auto Detect Vulnerability

I was installing my own Squid cache this weekend for my home network and wanted to set it up such that when my devices are home, they automatically use the proxy. I looked into it a bit, and Windows Proxy Auto Detect, or WPAD, seemed like a good solution. Basically, you turn on "automatic proxy detection" in your browser - be it Internet Explorer, Firefox, Flock, Safari, or anything else - and it automatically finds the proxy server.
 
How does it find the server? It uses a DHCP configuration setting or DNS to search for the entry "wpad.yourdomain.com" where yourdomain.com is your local domain as served up by your DHCP server. If that host resolves, it looks on that server for a wpad.dat file - a small bit of javascript that tells the browser what the proxies are. If that file is there, the browser blindly trusts it and executes the javascript to obtain the proxy settings right from that file - even if you have completely disabled Javascript in the browser. The next logical question for me was "where is the authentication for this?" and the answer is: there is no authentication.
 
This is scary for a number of reasons. If you can set a proxy for someone, that means you can force them to connect to a proxy YOU control. This is a man-in-the-middle attack and you can now obtain login credentials or anything else - including for SSL sites. Now, this gets even better if you combine it with a DNS cache poisoning attack or a second/fake DHCP server. How about you go to the local wireless hotspot and redirect WPAD to a server you control (even prior to asking for the credit card input)? You can now intercept their browsing sessions. How about you check into a local hotel? Do you suspect that a number of executives will be staying there with browsers preconfigured to look for a local proxy? I do. Oh, and the best part of this is that this is 100% transparent to the user - no pop-up box or other warnings are provided.
 
Allowing an unauthenticated network device/file to modify your behavior without your knowledge or consent is bad security. Although there have been published exploits for this in the past (and Microsoft fixes such as MS99-054), this remains as a vulnerability - especially combined with DNS cache poisoning or a second DHCP server controlled by an attacker. In today's world, the assumption must be made that computers are not stationary. They move around, and hence their security environment changes with them. Long-standing "features" like WPAD should be either secured or eliminated based on risk. The world has changed since this was introduced and our products should also change based on the updated risk profile.