Attacks/Breaches
12/2/2013
12:15 PM
Connect Directly
RSS
E-Mail
50%
50%

Windows XP Zero-Day Vulnerability Popular

Attackers use malicious PDF documents to exploit bug in Windows XP and Windows Server 2003 and take full control of vulnerable systems.

Microsoft is warning that in-the-wild attacks have been spotted that exploit a previously unknown vulnerability in multiple versions of the Windows operating system.

The zero-day vulnerability, dubbed CVE-2013-5065, affects Windows XP SP2 and SP3, as well as Server 2003 SP2, and allows attackers to gain escalated Windows privileges.

According to Symantec, exploits that target the vulnerability first appeared at the beginning of November. "The attack arrives as a malicious PDF file with file names such as syria15.10.pdf or Note_¹107-41D.pdf, likely by an email attachment, although there is a possibility that targeted users are being enticed to download the malicious file from a website prepared by the attacker," reads a blog post from Symantec.

"Upon successful exploitation of the vulnerability, another malicious file, observed since mid-October, is dropped onto the compromised computer," Symantec said. That malware -- a Trojan known as Wipbot, although some other versions may be detected as Pidief or Suspicious.Cloud.7.F -- forwards information about infected systems to a command-and-control (C&C) server run by attackers.

[ When it comes to zero-day attacks, patching is no longer enough. Read Zero-Day Drive-By Attacks: Accelerating & Expanding. ]

To date, according to Symantec, a "small number" of infected systems have been seen predominantly in India, followed -- in order of severity -- by Australia, the United States, Chile, Hungary, Germany, Norway, and Saudi Arabia.

If the vulnerability is successfully exploited, an attacker could take full control of a system. "An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode," reads a security advisory from Microsoft. "An attacker could then install programs; view, change, or delete data; or create new accounts with full administrator rights."

The vulnerability has been traced to an input validation error in NDProxy.sys, which is a system-provided driver that interfaces WAN miniport drivers, call managers, and miniport call managers to the Telephony Application Programming Interface (TAPI) services, according to Microsoft.

To exploit the bug, however, an attacker must first gain local access to a system, and to do that, the attacks seen to date have first exploited an Adobe Reader vulnerability. Thankfully, however, the malicious PDF files that have been recovered from active attacks appear to target a vulnerability that's already been patched by Adobe. "The exploit targets Adobe Reader 9.5.4, 10.1.6, 11.0.02, and prior on Windows XP SP3," reads a blog post from researchers at security firm FireEye, which discovered the attacks and reported them to Microsoft. "Those running the latest versions of Adobe Reader should not be affected by this exploit."

Pending a patch from Microsoft, how can information security managers safeguard their systems against attackers using malicious PDF documents to exploit the vulnerability? According to multiple security experts, upgrading to the latest version of Adobe Reader, which is free, or to Microsoft Vista (or newer) or Windows Server 2008 (or newer) will mitigate the vulnerability.

Microsoft said the vulnerability can also be temporarily mitigated by rerouting the NDProxy service to Null.sys. "For environments with non-default, limited user privileges, Microsoft has verified that the... workaround effectively blocks the attacks that have been observed in the wild."

On the downside, however, disabling NDProxy.sys will cause certain services that rely on Windows TAPI to not function, according to Microsoft. That includes remote access service (RAS), dial-up networking, and virtual private networking (VPN).

The vulnerability will likely intensify calls for people to ditch Windows XP in favor of more modern Windows operating systems that are vulnerable to fewer types of attacks like this one.

Knowing your enemy is the first step in guarding against him. In this Dark Reading report, Integrating Vulnerability Management Into The Application Development Process, we examine the world of cybercriminals -- including their motives, resources, and processes -- and recommend what enterprises should do to keep their data and computing systems safe in the face of an ever-growing and ever-more-sophisticated threat. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
IT-security-gladiator
50%
50%
IT-security-gladiator,
User Rank: Apprentice
12/2/2013 | 1:55:11 PM
How to fully protect XP even when it expires in 2014
I am an IT Consultant in North America and I have run into many Clients who simply cannot afford to upgrade their hardware and or software to Windows 7 or 8. The main reasons are the amount of money and time it takes to accomplish this. A typical example is that their existing vertical business application software needs to be rewritten for either Windows 7 or 8. Further since their hardware is still working they simply refuse to migrate from XP but they are afraid of getting viruses and malware. Essentially many Microsoft Users are stuck between a rock and hard place.

So I found an excellent User friendly Linux OS that cocoons all versions of Windows: i.e. XP and or 7 inside a very innovative Virtual Machine so that the users data files are saved to a Linux partition while the Windows OS & software is initially backed up and stored in just one .vdi file safely inside the Linux partition,  which contains their original Windows installation with all its programs too. So if they get hit with a morphing virus it takes them only one click to restore their original copy of Windows XP or 7 and of course since their data is always safe inside the Linux partition and fully read writable from the Windows OS with bookmarked folders there is no downtime as it only takes seconds to click on their Robolinux menu option that restores their original perfect Windows Virtual Machine back to the way it was before the virus struck them.

The result is my Clients are saving a lot of money and they are completely immune to all Windows malware and now they have as much time as they need to rewrite their software for either Linux or Windows 7. None of my Clients will even consider Windows 8 as a solution.

Check it out: Google Robolinux.
Filline
50%
50%
Filline,
User Rank: Apprentice
12/4/2013 | 3:25:46 AM
Re: How to fully protect XP even when it expires in 2014
Maybe this is not the place to ask for problem! I lost my XP login admin password. And got suggestion from http://www.windowspasswordsrecovery.com/forgot-windows-xp-password.htm Will update XP to Windows 8.1 need password? if yes, I update my XP to 8.1 without password unlock now.
zhangyide321
50%
50%
zhangyide321,
User Rank: Apprentice
6/30/2014 | 4:54:57 AM
Re: How to fully protect XP even when it expires in 2014
Windows 8 is better for touch screen, which is not for common users. I upgrade XP to windows 7, but forget the admin password, finially, I find the solution here: http://www.passwordtech.com/how-to-reset-windows-7-password.html. I guess the best solution is to upgrade XP to Windows 7, which is good for all. 
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-1927
Published: 2014-10-25
The shell_quote function in python-gnupg 0.3.5 does not properly quote strings, which allows context-dependent attackers to execute arbitrary code via shell metacharacters in unspecified vectors, as demonstrated using "$(" command-substitution sequences, a different vulnerability than CVE-2014-1928....

CVE-2014-1928
Published: 2014-10-25
The shell_quote function in python-gnupg 0.3.5 does not properly escape characters, which allows context-dependent attackers to execute arbitrary code via shell metacharacters in unspecified vectors, as demonstrated using "\" (backslash) characters to form multi-command sequences, a different vulner...

CVE-2014-1929
Published: 2014-10-25
python-gnupg 0.3.5 and 0.3.6 allows context-dependent attackers to have an unspecified impact via vectors related to "option injection through positional arguments." NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-7323.

CVE-2014-3409
Published: 2014-10-25
The Ethernet Connectivity Fault Management (CFM) handling feature in Cisco IOS 12.2(33)SRE9a and earlier and IOS XE 3.13S and earlier allows remote attackers to cause a denial of service (device reload) via malformed CFM packets, aka Bug ID CSCuq93406.

CVE-2014-3636
Published: 2014-10-25
D-Bus 1.3.0 through 1.6.x before 1.6.24 and 1.8.x before 1.8.8 allows local users to (1) cause a denial of service (prevention of new connections and connection drop) by queuing the maximum number of file descriptors or (2) cause a denial of service (disconnect) via multiple messages that combine to...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.