12:15 PM

Windows XP Zero-Day Vulnerability Popular

Attackers use malicious PDF documents to exploit bug in Windows XP and Windows Server 2003 and take full control of vulnerable systems.

Microsoft is warning that in-the-wild attacks have been spotted that exploit a previously unknown vulnerability in multiple versions of the Windows operating system.

The zero-day vulnerability, dubbed CVE-2013-5065, affects Windows XP SP2 and SP3, as well as Server 2003 SP2, and allows attackers to gain escalated Windows privileges.

According to Symantec, exploits that target the vulnerability first appeared at the beginning of November. "The attack arrives as a malicious PDF file with file names such as syria15.10.pdf or Note_¹107-41D.pdf, likely by an email attachment, although there is a possibility that targeted users are being enticed to download the malicious file from a website prepared by the attacker," reads a blog post from Symantec.

"Upon successful exploitation of the vulnerability, another malicious file, observed since mid-October, is dropped onto the compromised computer," Symantec said. That malware -- a Trojan known as Wipbot, although some other versions may be detected as Pidief or Suspicious.Cloud.7.F -- forwards information about infected systems to a command-and-control (C&C) server run by attackers.

[ When it comes to zero-day attacks, patching is no longer enough. Read Zero-Day Drive-By Attacks: Accelerating & Expanding. ]

To date, according to Symantec, a "small number" of infected systems have been seen predominantly in India, followed -- in order of severity -- by Australia, the United States, Chile, Hungary, Germany, Norway, and Saudi Arabia.

If the vulnerability is successfully exploited, an attacker could take full control of a system. "An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode," reads a security advisory from Microsoft. "An attacker could then install programs; view, change, or delete data; or create new accounts with full administrator rights."

The vulnerability has been traced to an input validation error in NDProxy.sys, which is a system-provided driver that interfaces WAN miniport drivers, call managers, and miniport call managers to the Telephony Application Programming Interface (TAPI) services, according to Microsoft.

To exploit the bug, however, an attacker must first gain local access to a system, and to do that, the attacks seen to date have first exploited an Adobe Reader vulnerability. Thankfully, however, the malicious PDF files that have been recovered from active attacks appear to target a vulnerability that's already been patched by Adobe. "The exploit targets Adobe Reader 9.5.4, 10.1.6, 11.0.02, and prior on Windows XP SP3," reads a blog post from researchers at security firm FireEye, which discovered the attacks and reported them to Microsoft. "Those running the latest versions of Adobe Reader should not be affected by this exploit."

Pending a patch from Microsoft, how can information security managers safeguard their systems against attackers using malicious PDF documents to exploit the vulnerability? According to multiple security experts, upgrading to the latest version of Adobe Reader, which is free, or to Microsoft Vista (or newer) or Windows Server 2008 (or newer) will mitigate the vulnerability.

Microsoft said the vulnerability can also be temporarily mitigated by rerouting the NDProxy service to Null.sys. "For environments with non-default, limited user privileges, Microsoft has verified that the... workaround effectively blocks the attacks that have been observed in the wild."

On the downside, however, disabling NDProxy.sys will cause certain services that rely on Windows TAPI to not function, according to Microsoft. That includes remote access service (RAS), dial-up networking, and virtual private networking (VPN).

The vulnerability will likely intensify calls for people to ditch Windows XP in favor of more modern Windows operating systems that are vulnerable to fewer types of attacks like this one.

Knowing your enemy is the first step in guarding against him. In this Dark Reading report, Integrating Vulnerability Management Into The Application Development Process, we examine the world of cybercriminals -- including their motives, resources, and processes -- and recommend what enterprises should do to keep their data and computing systems safe in the face of an ever-growing and ever-more-sophisticated threat. (Free registration required.)

Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
User Rank: Apprentice
12/2/2013 | 1:55:11 PM
How to fully protect XP even when it expires in 2014
I am an IT Consultant in North America and I have run into many Clients who simply cannot afford to upgrade their hardware and or software to Windows 7 or 8. The main reasons are the amount of money and time it takes to accomplish this. A typical example is that their existing vertical business application software needs to be rewritten for either Windows 7 or 8. Further since their hardware is still working they simply refuse to migrate from XP but they are afraid of getting viruses and malware. Essentially many Microsoft Users are stuck between a rock and hard place.

So I found an excellent User friendly Linux OS that cocoons all versions of Windows: i.e. XP and or 7 inside a very innovative Virtual Machine so that the users data files are saved to a Linux partition while the Windows OS & software is initially backed up and stored in just one .vdi file safely inside the Linux partition,  which contains their original Windows installation with all its programs too. So if they get hit with a morphing virus it takes them only one click to restore their original copy of Windows XP or 7 and of course since their data is always safe inside the Linux partition and fully read writable from the Windows OS with bookmarked folders there is no downtime as it only takes seconds to click on their Robolinux menu option that restores their original perfect Windows Virtual Machine back to the way it was before the virus struck them.

The result is my Clients are saving a lot of money and they are completely immune to all Windows malware and now they have as much time as they need to rewrite their software for either Linux or Windows 7. None of my Clients will even consider Windows 8 as a solution.

Check it out: Google Robolinux.
User Rank: Apprentice
12/4/2013 | 3:25:46 AM
Re: How to fully protect XP even when it expires in 2014
Maybe this is not the place to ask for problem! I lost my XP login admin password. And got suggestion from Will update XP to Windows 8.1 need password? if yes, I update my XP to 8.1 without password unlock now.
User Rank: Apprentice
6/30/2014 | 4:54:57 AM
Re: How to fully protect XP even when it expires in 2014
Windows 8 is better for touch screen, which is not for common users. I upgrade XP to windows 7, but forget the admin password, finially, I find the solution here: I guess the best solution is to upgrade XP to Windows 7, which is good for all. 
Register for Dark Reading Newsletters
White Papers
Current Issue
E-Commerce Security: What Every Enterprise Needs to Know
The mainstream use of EMV smartcards in the US has experts predicting an increase in online fraud. Organizations will need to look at new tools and processes for building better breach detection and response capabilities.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio