Incident Response, TDR, Vulnerability Management

Windows XP zero-day under active attack

A new zero-day vulnerability affecting users of Windows XP and Windows Server 2003 has already been leveraged in a limited number of targeted attacks, Microsoft warns.

Just prior to Thanksgiving, Microsoft issued an advisory about the bug (CVE-2013-5065), which lies in the kernel component of Windows XP and Windows Server 2003.

According to the Wednesday advisory, exploitation could allow an elevation of privilege that gives an attacker the ability to execute code in kernel mode, then go on to “install programs; view, change or delete data; or create new accounts with full administrative rights.”

A saboteur would still need a victim's login credentials to logon locally to exploit the vulnerability, according to Microsoft.

Last Wednesday, FireEye researchers Xiaobo Chen and Dan Caselden revealed in a blog post that to target users, in-the-wild attacks had been detected where the kernel vulnerability was used in conjunction with an Adobe Reader exploit.

Those running the latest versions of Adobe Reader, however, aren't vulnerable to the exploit, which targets Adobe Reader 9.5.4, 10.1.6, 11.0.02 and earlier versions on Windows XP Service Pack 3, FireEye found.

Over the weekend, security firm Symantec also confirmed that a “small number” of in-the-wild attacks have occurred since early November, where miscreants used malicious PDFs as an attack vector. Users in the U.S., India, Australia, Saudi Arabia and throughout Europe were targeted.

In those attacks, attackers who exploited the Windows zero-day dropped a trojan called “Wipbot” onto victims' systems, Symantec found. Wipbot is designed to steal system information, which is then shared with attackers via their control hub.

So far, Microsoft has yet to issue a fix for the vulnerability, but Dustin Childs, a spokesman for Microsoft's Trustworthy Computing team, explained in a blog post last Wednesday how users could deploy a workaround for the issue by configuring the NDProxy driver.

The NDProxy driver helps users manage Microsoft's Telephony Application Programming Interface (TAPI) for integrated computer-telephone services.

Last Thursday, Paul Ducklin, a security researcher who writes for Sophos' Naked Security blog, addressed issues for which users should be on the lookout if using the workaround.

“Microsoft's cunning plan is to tweak the registry to configure the NDProxy driver to load NULL.SYS (a special functionless driver) instead of the faulty NDPROXY.SYS executable,” Ducklin wrote.

Upon updating the registry entry and rebooting, users will be “immune” to the Windows exploit, he continued.

“Of course, this sort of hack comes with a cost: the NDProxy service will no longer work, and therefore anything relying on [Microsoft's Telephony API] won't work either. That includes dial-up networking…and [remote access service] RAS, which you might expect; and also Microsoft's Virtual Private Network (VPN) software, which you might not expect,” Ducklin wrote.

In its security advisory, Microsoft said that it may provide a security update for the zero-day via its monthly Patch Tuesday release (due out Dec.10) or through an out-of-cycle fix, "depending on customer needs."

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.