Attacks/Breaches
12/2/2013
12:15 PM
50%
50%

Windows XP Zero-Day Vulnerability Popular

Attackers use malicious PDF documents to exploit bug in Windows XP and Windows Server 2003 and take full control of vulnerable systems.

Microsoft is warning that in-the-wild attacks have been spotted that exploit a previously unknown vulnerability in multiple versions of the Windows operating system.

The zero-day vulnerability, dubbed CVE-2013-5065, affects Windows XP SP2 and SP3, as well as Server 2003 SP2, and allows attackers to gain escalated Windows privileges.

According to Symantec, exploits that target the vulnerability first appeared at the beginning of November. "The attack arrives as a malicious PDF file with file names such as syria15.10.pdf or Note_¹107-41D.pdf, likely by an email attachment, although there is a possibility that targeted users are being enticed to download the malicious file from a website prepared by the attacker," reads a blog post from Symantec.

"Upon successful exploitation of the vulnerability, another malicious file, observed since mid-October, is dropped onto the compromised computer," Symantec said. That malware -- a Trojan known as Wipbot, although some other versions may be detected as Pidief or Suspicious.Cloud.7.F -- forwards information about infected systems to a command-and-control (C&C) server run by attackers.

[ When it comes to zero-day attacks, patching is no longer enough. Read Zero-Day Drive-By Attacks: Accelerating & Expanding. ]

To date, according to Symantec, a "small number" of infected systems have been seen predominantly in India, followed -- in order of severity -- by Australia, the United States, Chile, Hungary, Germany, Norway, and Saudi Arabia.

If the vulnerability is successfully exploited, an attacker could take full control of a system. "An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode," reads a security advisory from Microsoft. "An attacker could then install programs; view, change, or delete data; or create new accounts with full administrator rights."

The vulnerability has been traced to an input validation error in NDProxy.sys, which is a system-provided driver that interfaces WAN miniport drivers, call managers, and miniport call managers to the Telephony Application Programming Interface (TAPI) services, according to Microsoft.

To exploit the bug, however, an attacker must first gain local access to a system, and to do that, the attacks seen to date have first exploited an Adobe Reader vulnerability. Thankfully, however, the malicious PDF files that have been recovered from active attacks appear to target a vulnerability that's already been patched by Adobe. "The exploit targets Adobe Reader 9.5.4, 10.1.6, 11.0.02, and prior on Windows XP SP3," reads a blog post from researchers at security firm FireEye, which discovered the attacks and reported them to Microsoft. "Those running the latest versions of Adobe Reader should not be affected by this exploit."

Pending a patch from Microsoft, how can information security managers safeguard their systems against attackers using malicious PDF documents to exploit the vulnerability? According to multiple security experts, upgrading to the latest version of Adobe Reader, which is free, or to Microsoft Vista (or newer) or Windows Server 2008 (or newer) will mitigate the vulnerability.

Microsoft said the vulnerability can also be temporarily mitigated by rerouting the NDProxy service to Null.sys. "For environments with non-default, limited user privileges, Microsoft has verified that the... workaround effectively blocks the attacks that have been observed in the wild."

On the downside, however, disabling NDProxy.sys will cause certain services that rely on Windows TAPI to not function, according to Microsoft. That includes remote access service (RAS), dial-up networking, and virtual private networking (VPN).

The vulnerability will likely intensify calls for people to ditch Windows XP in favor of more modern Windows operating systems that are vulnerable to fewer types of attacks like this one.

Knowing your enemy is the first step in guarding against him. In this Dark Reading report, Integrating Vulnerability Management Into The Application Development Process, we examine the world of cybercriminals -- including their motives, resources, and processes -- and recommend what enterprises should do to keep their data and computing systems safe in the face of an ever-growing and ever-more-sophisticated threat. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
IT-security-gladiator
50%
50%
IT-security-gladiator,
User Rank: Apprentice
12/2/2013 | 1:55:11 PM
How to fully protect XP even when it expires in 2014
I am an IT Consultant in North America and I have run into many Clients who simply cannot afford to upgrade their hardware and or software to Windows 7 or 8. The main reasons are the amount of money and time it takes to accomplish this. A typical example is that their existing vertical business application software needs to be rewritten for either Windows 7 or 8. Further since their hardware is still working they simply refuse to migrate from XP but they are afraid of getting viruses and malware. Essentially many Microsoft Users are stuck between a rock and hard place.

So I found an excellent User friendly Linux OS that cocoons all versions of Windows: i.e. XP and or 7 inside a very innovative Virtual Machine so that the users data files are saved to a Linux partition while the Windows OS & software is initially backed up and stored in just one .vdi file safely inside the Linux partition,  which contains their original Windows installation with all its programs too. So if they get hit with a morphing virus it takes them only one click to restore their original copy of Windows XP or 7 and of course since their data is always safe inside the Linux partition and fully read writable from the Windows OS with bookmarked folders there is no downtime as it only takes seconds to click on their Robolinux menu option that restores their original perfect Windows Virtual Machine back to the way it was before the virus struck them.

The result is my Clients are saving a lot of money and they are completely immune to all Windows malware and now they have as much time as they need to rewrite their software for either Linux or Windows 7. None of my Clients will even consider Windows 8 as a solution.

Check it out: Google Robolinux.
Filline
50%
50%
Filline,
User Rank: Apprentice
12/4/2013 | 3:25:46 AM
Re: How to fully protect XP even when it expires in 2014
Maybe this is not the place to ask for problem! I lost my XP login admin password. And got suggestion from http://www.windowspasswordsrecovery.com/forgot-windows-xp-password.htm Will update XP to Windows 8.1 need password? if yes, I update my XP to 8.1 without password unlock now.
zhangyide321
50%
50%
zhangyide321,
User Rank: Apprentice
6/30/2014 | 4:54:57 AM
Re: How to fully protect XP even when it expires in 2014
Windows 8 is better for touch screen, which is not for common users. I upgrade XP to windows 7, but forget the admin password, finially, I find the solution here: http://www.passwordtech.com/how-to-reset-windows-7-password.html. I guess the best solution is to upgrade XP to Windows 7, which is good for all. 
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-2987
Published: 2015-08-28
Type74 ED before 4.0 misuses 128-bit ECB encryption for small files, which makes it easier for attackers to obtain plaintext data via differential cryptanalysis of a file with an original length smaller than 128 bits.

CVE-2015-6266
Published: 2015-08-28
The guest portal in Cisco Identity Services Engine (ISE) 3300 1.2(0.899) does not restrict access to uploaded HTML documents, which allows remote attackers to obtain sensitive information from customized documents via a direct request, aka Bug ID CSCuo78045.

CVE-2015-5367
Published: 2015-08-27
The HP lt4112 LTE/HSPA+ Gobi 4G module with firmware before 12.500.00.15.1803 on EliteBook, ElitePad, Elite, ProBook, Spectre, ZBook, and mt41 Thin Client devices allows local users to gain privileges via unspecified vectors.

CVE-2015-5368
Published: 2015-08-27
The HP lt4112 LTE/HSPA+ Gobi 4G module with firmware before 12.500.00.15.1803 on EliteBook, ElitePad, Elite, ProBook, Spectre, ZBook, and mt41 Thin Client devices allows remote attackers to modify data or cause a denial of service, or execute arbitrary code, via unspecified vectors.

CVE-2013-7424
Published: 2015-08-26
The getaddrinfo function in glibc before 2.15, when compiled with libidn and the AI_IDN flag is used, allows context-dependent attackers to cause a denial of service (invalid free) and possibly execute arbitrary code via unspecified vectors, as demonstrated by an internationalized domain name to pin...

Dark Reading Radio
Archived Dark Reading Radio
Another Black Hat is in the books and Dark Reading was there. Join the editors as they share their top stories, biggest lessons, and best conversations from the premier security conference.