Attacks/Breaches
12/2/2013
12:15 PM
Connect Directly
RSS
E-Mail
50%
50%

Windows XP Zero-Day Vulnerability Popular

Attackers use malicious PDF documents to exploit bug in Windows XP and Windows Server 2003 and take full control of vulnerable systems.

Microsoft is warning that in-the-wild attacks have been spotted that exploit a previously unknown vulnerability in multiple versions of the Windows operating system.

The zero-day vulnerability, dubbed CVE-2013-5065, affects Windows XP SP2 and SP3, as well as Server 2003 SP2, and allows attackers to gain escalated Windows privileges.

According to Symantec, exploits that target the vulnerability first appeared at the beginning of November. "The attack arrives as a malicious PDF file with file names such as syria15.10.pdf or Note_¹107-41D.pdf, likely by an email attachment, although there is a possibility that targeted users are being enticed to download the malicious file from a website prepared by the attacker," reads a blog post from Symantec.

"Upon successful exploitation of the vulnerability, another malicious file, observed since mid-October, is dropped onto the compromised computer," Symantec said. That malware -- a Trojan known as Wipbot, although some other versions may be detected as Pidief or Suspicious.Cloud.7.F -- forwards information about infected systems to a command-and-control (C&C) server run by attackers.

[ When it comes to zero-day attacks, patching is no longer enough. Read Zero-Day Drive-By Attacks: Accelerating & Expanding. ]

To date, according to Symantec, a "small number" of infected systems have been seen predominantly in India, followed -- in order of severity -- by Australia, the United States, Chile, Hungary, Germany, Norway, and Saudi Arabia.

If the vulnerability is successfully exploited, an attacker could take full control of a system. "An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode," reads a security advisory from Microsoft. "An attacker could then install programs; view, change, or delete data; or create new accounts with full administrator rights."

The vulnerability has been traced to an input validation error in NDProxy.sys, which is a system-provided driver that interfaces WAN miniport drivers, call managers, and miniport call managers to the Telephony Application Programming Interface (TAPI) services, according to Microsoft.

To exploit the bug, however, an attacker must first gain local access to a system, and to do that, the attacks seen to date have first exploited an Adobe Reader vulnerability. Thankfully, however, the malicious PDF files that have been recovered from active attacks appear to target a vulnerability that's already been patched by Adobe. "The exploit targets Adobe Reader 9.5.4, 10.1.6, 11.0.02, and prior on Windows XP SP3," reads a blog post from researchers at security firm FireEye, which discovered the attacks and reported them to Microsoft. "Those running the latest versions of Adobe Reader should not be affected by this exploit."

Pending a patch from Microsoft, how can information security managers safeguard their systems against attackers using malicious PDF documents to exploit the vulnerability? According to multiple security experts, upgrading to the latest version of Adobe Reader, which is free, or to Microsoft Vista (or newer) or Windows Server 2008 (or newer) will mitigate the vulnerability.

Microsoft said the vulnerability can also be temporarily mitigated by rerouting the NDProxy service to Null.sys. "For environments with non-default, limited user privileges, Microsoft has verified that the... workaround effectively blocks the attacks that have been observed in the wild."

On the downside, however, disabling NDProxy.sys will cause certain services that rely on Windows TAPI to not function, according to Microsoft. That includes remote access service (RAS), dial-up networking, and virtual private networking (VPN).

The vulnerability will likely intensify calls for people to ditch Windows XP in favor of more modern Windows operating systems that are vulnerable to fewer types of attacks like this one.

Knowing your enemy is the first step in guarding against him. In this Dark Reading report, Integrating Vulnerability Management Into The Application Development Process, we examine the world of cybercriminals -- including their motives, resources, and processes -- and recommend what enterprises should do to keep their data and computing systems safe in the face of an ever-growing and ever-more-sophisticated threat. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
IT-security-gladiator
50%
50%
IT-security-gladiator,
User Rank: Apprentice
12/2/2013 | 1:55:11 PM
How to fully protect XP even when it expires in 2014
I am an IT Consultant in North America and I have run into many Clients who simply cannot afford to upgrade their hardware and or software to Windows 7 or 8. The main reasons are the amount of money and time it takes to accomplish this. A typical example is that their existing vertical business application software needs to be rewritten for either Windows 7 or 8. Further since their hardware is still working they simply refuse to migrate from XP but they are afraid of getting viruses and malware. Essentially many Microsoft Users are stuck between a rock and hard place.

So I found an excellent User friendly Linux OS that cocoons all versions of Windows: i.e. XP and or 7 inside a very innovative Virtual Machine so that the users data files are saved to a Linux partition while the Windows OS & software is initially backed up and stored in just one .vdi file safely inside the Linux partition,  which contains their original Windows installation with all its programs too. So if they get hit with a morphing virus it takes them only one click to restore their original copy of Windows XP or 7 and of course since their data is always safe inside the Linux partition and fully read writable from the Windows OS with bookmarked folders there is no downtime as it only takes seconds to click on their Robolinux menu option that restores their original perfect Windows Virtual Machine back to the way it was before the virus struck them.

The result is my Clients are saving a lot of money and they are completely immune to all Windows malware and now they have as much time as they need to rewrite their software for either Linux or Windows 7. None of my Clients will even consider Windows 8 as a solution.

Check it out: Google Robolinux.
Filline
50%
50%
Filline,
User Rank: Apprentice
12/4/2013 | 3:25:46 AM
Re: How to fully protect XP even when it expires in 2014
Maybe this is not the place to ask for problem! I lost my XP login admin password. And got suggestion from http://www.windowspasswordsrecovery.com/forgot-windows-xp-password.htm Will update XP to Windows 8.1 need password? if yes, I update my XP to 8.1 without password unlock now.
zhangyide321
50%
50%
zhangyide321,
User Rank: Apprentice
6/30/2014 | 4:54:57 AM
Re: How to fully protect XP even when it expires in 2014
Windows 8 is better for touch screen, which is not for common users. I upgrade XP to windows 7, but forget the admin password, finially, I find the solution here: http://www.passwordtech.com/how-to-reset-windows-7-password.html. I guess the best solution is to upgrade XP to Windows 7, which is good for all. 
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Must Reads - September 25, 2014
Dark Reading's new Must Reads is a compendium of our best recent coverage of identity and access management. Learn about access control in the age of HTML5, how to improve authentication, why Active Directory is dead, and more.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-5619
Published: 2014-09-29
The Sleuth Kit (TSK) 4.0.1 does not properly handle "." (dotfile) file system entries in FAT file systems and other file systems for which . is not a reserved name, which allows local users to hide activities it more difficult to conduct forensics activities, as demonstrated by Flame.

CVE-2012-5621
Published: 2014-09-29
lib/engine/components/opal/opal-call.cpp in ekiga before 4.0.0 allows remote attackers to cause a denial of service (crash) via an OPAL connection with a party name that contains invalid UTF-8 strings.

CVE-2012-6107
Published: 2014-09-29
Apache Axis2/C does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

CVE-2012-6110
Published: 2014-09-29
bcron-exec in bcron before 0.10 does not close file descriptors associated with temporary files when running a cron job, which allows local users to modify job files and send spam messages by accessing an open file descriptor.

CVE-2013-1874
Published: 2014-09-29
Untrusted search path vulnerability in csi in Chicken before 4.8.2 allows local users to execute arbitrary code via a Trojan horse .csirc in the current working directory.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
In our next Dark Reading Radio broadcast, we’ll take a close look at some of the latest research and practices in application security.