Windows XP zero-day under active attack

Share this article:

A new zero-day vulnerability affecting users of Windows XP and Windows Server 2003 has already been leveraged in a limited number of targeted attacks, Microsoft warns.

Just prior to Thanksgiving, Microsoft issued an advisory about the bug (CVE-2013-5065), which lies in the kernel component of Windows XP and Windows Server 2003.

According to the Wednesday advisory, exploitation could allow an elevation of privilege that gives an attacker the ability to execute code in kernel mode, then go on to “install programs; view, change or delete data; or create new accounts with full administrative rights.”

A saboteur would still need a victim's login credentials to logon locally to exploit the vulnerability, according to Microsoft.

Last Wednesday, FireEye researchers Xiaobo Chen and Dan Caselden revealed in a blog post that to target users, in-the-wild attacks had been detected where the kernel vulnerability was used in conjunction with an Adobe Reader exploit.

Those running the latest versions of Adobe Reader, however, aren't vulnerable to the exploit, which targets Adobe Reader 9.5.4, 10.1.6, 11.0.02 and earlier versions on Windows XP Service Pack 3, FireEye found.

Over the weekend, security firm Symantec also confirmed that a “small number” of in-the-wild attacks have occurred since early November, where miscreants used malicious PDFs as an attack vector. Users in the U.S., India, Australia, Saudi Arabia and throughout Europe were targeted.

In those attacks, attackers who exploited the Windows zero-day dropped a trojan called “Wipbot” onto victims' systems, Symantec found. Wipbot is designed to steal system information, which is then shared with attackers via their control hub.

So far, Microsoft has yet to issue a fix for the vulnerability, but Dustin Childs, a spokesman for Microsoft's Trustworthy Computing team, explained in a blog post last Wednesday how users could deploy a workaround for the issue by configuring the NDProxy driver.

The NDProxy driver helps users manage Microsoft's Telephony Application Programming Interface (TAPI) for integrated computer-telephone services.

Last Thursday, Paul Ducklin, a security researcher who writes for Sophos' Naked Security blog, addressed issues for which users should be on the lookout if using the workaround.

“Microsoft's cunning plan is to tweak the registry to configure the NDProxy driver to load NULL.SYS (a special functionless driver) instead of the faulty NDPROXY.SYS executable,” Ducklin wrote.

Upon updating the registry entry and rebooting, users will be “immune” to the Windows exploit, he continued.

“Of course, this sort of hack comes with a cost: the NDProxy service will no longer work, and therefore anything relying on [Microsoft's Telephony API] won't work either. That includes dial-up networking…and [remote access service] RAS, which you might expect; and also Microsoft's Virtual Private Network (VPN) software, which you might not expect,” Ducklin wrote.

In its security advisory, Microsoft said that it may provide a security update for the zero-day via its monthly Patch Tuesday release (due out Dec.10) or through an out-of-cycle fix, "depending on customer needs."

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

Email promises free pizza, ensnares victims in Asprox botnet instead

Email promises free pizza, ensnares victims in Asprox ...

Cloudmark came upon an email that offers free pizza, but clicking on the link to get the coupon ends with victims being ensnared in a botnet.

Report: most orgs lacking in response team, policies to address cyber incidents

In its Q3 threat intelligence report, Solutionary learned that 75 percent of organizations it assisted had no response team or policies and procedures to address cyber incidents.

Flash redirect campaign impacts Carnegie Mellon page, leads to Angler EK

Flash redirect campaign impacts Carnegie Mellon page, leads ...

Malwarebytes found that, since early July, thousands of sites had been targeted in the campaign.