Attacks/Breaches
12/2/2013
12:15 PM
Connect Directly
RSS
E-Mail
50%
50%

Windows XP Zero-Day Vulnerability Popular

Attackers use malicious PDF documents to exploit bug in Windows XP and Windows Server 2003 and take full control of vulnerable systems.

Microsoft is warning that in-the-wild attacks have been spotted that exploit a previously unknown vulnerability in multiple versions of the Windows operating system.

The zero-day vulnerability, dubbed CVE-2013-5065, affects Windows XP SP2 and SP3, as well as Server 2003 SP2, and allows attackers to gain escalated Windows privileges.

According to Symantec, exploits that target the vulnerability first appeared at the beginning of November. "The attack arrives as a malicious PDF file with file names such as syria15.10.pdf or Note_¹107-41D.pdf, likely by an email attachment, although there is a possibility that targeted users are being enticed to download the malicious file from a website prepared by the attacker," reads a blog post from Symantec.

"Upon successful exploitation of the vulnerability, another malicious file, observed since mid-October, is dropped onto the compromised computer," Symantec said. That malware -- a Trojan known as Wipbot, although some other versions may be detected as Pidief or Suspicious.Cloud.7.F -- forwards information about infected systems to a command-and-control (C&C) server run by attackers.

[ When it comes to zero-day attacks, patching is no longer enough. Read Zero-Day Drive-By Attacks: Accelerating & Expanding. ]

To date, according to Symantec, a "small number" of infected systems have been seen predominantly in India, followed -- in order of severity -- by Australia, the United States, Chile, Hungary, Germany, Norway, and Saudi Arabia.

If the vulnerability is successfully exploited, an attacker could take full control of a system. "An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode," reads a security advisory from Microsoft. "An attacker could then install programs; view, change, or delete data; or create new accounts with full administrator rights."

The vulnerability has been traced to an input validation error in NDProxy.sys, which is a system-provided driver that interfaces WAN miniport drivers, call managers, and miniport call managers to the Telephony Application Programming Interface (TAPI) services, according to Microsoft.

To exploit the bug, however, an attacker must first gain local access to a system, and to do that, the attacks seen to date have first exploited an Adobe Reader vulnerability. Thankfully, however, the malicious PDF files that have been recovered from active attacks appear to target a vulnerability that's already been patched by Adobe. "The exploit targets Adobe Reader 9.5.4, 10.1.6, 11.0.02, and prior on Windows XP SP3," reads a blog post from researchers at security firm FireEye, which discovered the attacks and reported them to Microsoft. "Those running the latest versions of Adobe Reader should not be affected by this exploit."

Pending a patch from Microsoft, how can information security managers safeguard their systems against attackers using malicious PDF documents to exploit the vulnerability? According to multiple security experts, upgrading to the latest version of Adobe Reader, which is free, or to Microsoft Vista (or newer) or Windows Server 2008 (or newer) will mitigate the vulnerability.

Microsoft said the vulnerability can also be temporarily mitigated by rerouting the NDProxy service to Null.sys. "For environments with non-default, limited user privileges, Microsoft has verified that the... workaround effectively blocks the attacks that have been observed in the wild."

On the downside, however, disabling NDProxy.sys will cause certain services that rely on Windows TAPI to not function, according to Microsoft. That includes remote access service (RAS), dial-up networking, and virtual private networking (VPN).

The vulnerability will likely intensify calls for people to ditch Windows XP in favor of more modern Windows operating systems that are vulnerable to fewer types of attacks like this one.

Knowing your enemy is the first step in guarding against him. In this Dark Reading report, Integrating Vulnerability Management Into The Application Development Process, we examine the world of cybercriminals -- including their motives, resources, and processes -- and recommend what enterprises should do to keep their data and computing systems safe in the face of an ever-growing and ever-more-sophisticated threat. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
IT-security-gladiator
50%
50%
IT-security-gladiator,
User Rank: Apprentice
12/2/2013 | 1:55:11 PM
How to fully protect XP even when it expires in 2014
I am an IT Consultant in North America and I have run into many Clients who simply cannot afford to upgrade their hardware and or software to Windows 7 or 8. The main reasons are the amount of money and time it takes to accomplish this. A typical example is that their existing vertical business application software needs to be rewritten for either Windows 7 or 8. Further since their hardware is still working they simply refuse to migrate from XP but they are afraid of getting viruses and malware. Essentially many Microsoft Users are stuck between a rock and hard place.

So I found an excellent User friendly Linux OS that cocoons all versions of Windows: i.e. XP and or 7 inside a very innovative Virtual Machine so that the users data files are saved to a Linux partition while the Windows OS & software is initially backed up and stored in just one .vdi file safely inside the Linux partition,  which contains their original Windows installation with all its programs too. So if they get hit with a morphing virus it takes them only one click to restore their original copy of Windows XP or 7 and of course since their data is always safe inside the Linux partition and fully read writable from the Windows OS with bookmarked folders there is no downtime as it only takes seconds to click on their Robolinux menu option that restores their original perfect Windows Virtual Machine back to the way it was before the virus struck them.

The result is my Clients are saving a lot of money and they are completely immune to all Windows malware and now they have as much time as they need to rewrite their software for either Linux or Windows 7. None of my Clients will even consider Windows 8 as a solution.

Check it out: Google Robolinux.
Filline
50%
50%
Filline,
User Rank: Apprentice
12/4/2013 | 3:25:46 AM
Re: How to fully protect XP even when it expires in 2014
Maybe this is not the place to ask for problem! I lost my XP login admin password. And got suggestion from http://www.windowspasswordsrecovery.com/forgot-windows-xp-password.htm Will update XP to Windows 8.1 need password? if yes, I update my XP to 8.1 without password unlock now.
zhangyide321
50%
50%
zhangyide321,
User Rank: Apprentice
6/30/2014 | 4:54:57 AM
Re: How to fully protect XP even when it expires in 2014
Windows 8 is better for touch screen, which is not for common users. I upgrade XP to windows 7, but forget the admin password, finially, I find the solution here: http://www.passwordtech.com/how-to-reset-windows-7-password.html. I guess the best solution is to upgrade XP to Windows 7, which is good for all. 
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Must Reads - September 25, 2014
Dark Reading's new Must Reads is a compendium of our best recent coverage of identity and access management. Learn about access control in the age of HTML5, how to improve authentication, why Active Directory is dead, and more.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2003-1598
Published: 2014-10-01
SQL injection vulnerability in log.header.php in WordPress 0.7 and earlier allows remote attackers to execute arbitrary SQL commands via the posts variable.

CVE-2011-4624
Published: 2014-10-01
Cross-site scripting (XSS) vulnerability in facebook.php in the GRAND FlAGallery plugin (flash-album-gallery) before 1.57 for WordPress allows remote attackers to inject arbitrary web script or HTML via the i parameter.

CVE-2012-0811
Published: 2014-10-01
Multiple SQL injection vulnerabilities in Postfix Admin (aka postfixadmin) before 2.3.5 allow remote authenticated users to execute arbitrary SQL commands via (1) the pw parameter to the pacrypt function, when mysql_encrypt is configured, or (2) unspecified vectors that are used in backup files gene...

CVE-2014-2640
Published: 2014-10-01
Cross-site scripting (XSS) vulnerability in HP System Management Homepage (SMH) before 7.4 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

CVE-2014-2641
Published: 2014-10-01
Cross-site request forgery (CSRF) vulnerability in HP System Management Homepage (SMH) before 7.4 allows remote authenticated users to hijack the authentication of unspecified victims via unknown vectors.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Chris Hadnagy, who hosts the annual Social Engineering Capture the Flag Contest at DEF CON, will discuss the latest trends attackers are using.