04:24 PM
Connect Directly
Repost This

Targeted Attacks Spotted Exploiting Microsoft XP Zero-Day

Microsoft working on a fix for newly discovered local escalation of privilege vulnerability in XP and Windows 2003

Researchers late last week discovered targeted attacks in the wild exploiting a previously unknown kernel vulnerability in Microsoft XP. Security experts say the attacks may be a sign of things to come as attackers home in on the older operating system, which Microsoft will no longer support as of April 2014.

One-fifth of all operating systems in use today are Windows XP machines, according to Microsoft, and XP machines are six times more likely to be infected by malware, even though Windows 8 and XP actually encounter the same volume of malware. That, and the fact that there will be no more patches for the 12-year-old operating system as of April 8, are making XP an even more attractive target by cyberespionage actors and, ultimately, traditional cybercriminals.

The newly discovered zero-day flaw actually involves both XP and Windows 2003, but the attacks seen in the wild by researchers at FireEye only appear to exploit XP. The local privilege escalation bug in the kernel of both OSes alone can't exploit a remote system, but can be used on an already-hijacked system to execute the malware or other attacks.

The attacks rely on a the victim opening a malicious PDF file to infect them, according to Dustin Childs, group manager for response communications with Microsoft's Trustworthy Computing group. "These limited, targeted attacks require users to open a malicious PDF file. While we are actively working to develop a security update to address this issue, we encourage customers running Windows XP and Server 2003 to deploy" workarounds, he says, which Microsoft included in a Security Advisory issued on Thanksgiving eve.

FireEye researchers Xiaobo Chen and Dan Caselden say the exploit targets a patched bug in Adobe Reader 9.5.4, 10.1.6, 11.0.02, and earlier versions on Windows XP SP3, so users running updated Reader software are safe. "The vulnerability cannot be used for remote code execution but could allow a standard user account to execute code in the kernel. Currently, the exploit appears to only work in Windows XP," they wrote in a blog post. "Post exploitation, the shellcode decodes a PE payload from the PDF, drops it in the temporary directory, and executes it."

[Nearly half of the 1 million machines managed by enterprise mobility management firm Fiberlink for its clients are XP systems. See Windows XP Holdouts Hold On.]

These latest zero-day attacks are just the tip of the iceberg in attacks to come for XP, security experts say. "I think we'll see a whole group of people looking at XP vulnerabilities," says Wolfgang Kandek, CTO at Qualys. "I don't think XP is going to be very defendable for two to three months after it stops getting updated."

Kandek says it won't take much effort, either, to find new flaws in XP. Attackers can merely extrapolate some flaws in XP from patches to Internet Explorer 7, for example.

The new local privilege escalation attack basically performs an Adobe PDF sandbox escape, he says. This multiple-vulnerability chain approach is becoming popular in many new attacks, he says, mainly thanks to tighter software security features like ASLR and others that make it more difficult for exploitation. "Most attackers need to chain together multiple vulns. I think this is in that spirit," he says of the new attack. "The attackers now send you a document with a PDF vulnerability. They need to chain another [exploit] to it to become administrator" on the targeted machine, he says.

Microsoft did not provide any additional details on the nature of the targeted attacks or the victims, but Kandek says it has all the earmarks of an advanced persistent threat (APT)-style attack. "My feeling is that it was used in an APT targeted attack," he says. And next it will be exploited by mainstream attackers and become more widespread, as is the typical progression of zero-days, he says.

Meanwhile, Microsoft has issued a recommended workaround for the flaw while it prepares a patch: rerouting the NDProxy service to Null.sys. FireEye suggests upgrading to the latest version of Adobe Reader and migrating the operating system to Windows 7 or higher.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Senior Editor at She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Current Issue
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2014-04-24
Cisco IOS before 15.3(2)S allows remote attackers to bypass interface ACL restrictions in opportunistic circumstances by sending IPv6 packets in an unspecified scenario in which expected packet drops do not occur for "a small percentage" of the packets, aka Bug ID CSCty73682.

Published: 2014-04-24
Cisco ASR 1000 devices with software before 3.8S, when BDI routing is enabled, allow remote attackers to cause a denial of service (device reload) via crafted (1) broadcast or (2) multicast ICMP packets with fragmentation, aka Bug ID CSCub55948.

Published: 2014-04-24
Cross-site scripting (XSS) vulnerability in IBM SmartCloud Analytics Log Analysis 1.1 and 1.2 before allows remote attackers to inject arbitrary web script or HTML via an invalid query parameter in a response from an OAuth authorization endpoint.

Published: 2014-04-24
The openshift-origin-broker in Red Hat OpenShift Enterprise 2.0.5, 1.2.7, and earlier does not properly handle authentication requests from the remote-user auth plugin, which allows remote attackers to bypass authentication and impersonate arbitrary users via the X-Remote-User header in a request to...

Published: 2014-04-24
The password recovery service in Open-Xchange AppSuite before 7.2.2-rev20, 7.4.1 before 7.4.1-rev11, and 7.4.2 before 7.4.2-rev13 makes an improper decision about the sensitivity of a string representing a previously used but currently invalid password, which allows remote attackers to obtain potent...

Best of the Web