Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


04:24 PM
Connect Directly

Targeted Attacks Spotted Exploiting Microsoft XP Zero-Day

Microsoft working on a fix for newly discovered local escalation of privilege vulnerability in XP and Windows 2003

Researchers late last week discovered targeted attacks in the wild exploiting a previously unknown kernel vulnerability in Microsoft XP. Security experts say the attacks may be a sign of things to come as attackers home in on the older operating system, which Microsoft will no longer support as of April 2014.

One-fifth of all operating systems in use today are Windows XP machines, according to Microsoft, and XP machines are six times more likely to be infected by malware, even though Windows 8 and XP actually encounter the same volume of malware. That, and the fact that there will be no more patches for the 12-year-old operating system as of April 8, are making XP an even more attractive target by cyberespionage actors and, ultimately, traditional cybercriminals.

The newly discovered zero-day flaw actually involves both XP and Windows 2003, but the attacks seen in the wild by researchers at FireEye only appear to exploit XP. The local privilege escalation bug in the kernel of both OSes alone can't exploit a remote system, but can be used on an already-hijacked system to execute the malware or other attacks.

The attacks rely on a the victim opening a malicious PDF file to infect them, according to Dustin Childs, group manager for response communications with Microsoft's Trustworthy Computing group. "These limited, targeted attacks require users to open a malicious PDF file. While we are actively working to develop a security update to address this issue, we encourage customers running Windows XP and Server 2003 to deploy" workarounds, he says, which Microsoft included in a Security Advisory issued on Thanksgiving eve.

FireEye researchers Xiaobo Chen and Dan Caselden say the exploit targets a patched bug in Adobe Reader 9.5.4, 10.1.6, 11.0.02, and earlier versions on Windows XP SP3, so users running updated Reader software are safe. "The vulnerability cannot be used for remote code execution but could allow a standard user account to execute code in the kernel. Currently, the exploit appears to only work in Windows XP," they wrote in a blog post. "Post exploitation, the shellcode decodes a PE payload from the PDF, drops it in the temporary directory, and executes it."

[Nearly half of the 1 million machines managed by enterprise mobility management firm Fiberlink for its clients are XP systems. See Windows XP Holdouts Hold On.]

These latest zero-day attacks are just the tip of the iceberg in attacks to come for XP, security experts say. "I think we'll see a whole group of people looking at XP vulnerabilities," says Wolfgang Kandek, CTO at Qualys. "I don't think XP is going to be very defendable for two to three months after it stops getting updated."

Kandek says it won't take much effort, either, to find new flaws in XP. Attackers can merely extrapolate some flaws in XP from patches to Internet Explorer 7, for example.

The new local privilege escalation attack basically performs an Adobe PDF sandbox escape, he says. This multiple-vulnerability chain approach is becoming popular in many new attacks, he says, mainly thanks to tighter software security features like ASLR and others that make it more difficult for exploitation. "Most attackers need to chain together multiple vulns. I think this is in that spirit," he says of the new attack. "The attackers now send you a document with a PDF vulnerability. They need to chain another [exploit] to it to become administrator" on the targeted machine, he says.

Microsoft did not provide any additional details on the nature of the targeted attacks or the victims, but Kandek says it has all the earmarks of an advanced persistent threat (APT)-style attack. "My feeling is that it was used in an APT targeted attack," he says. And next it will be exploited by mainstream attackers and become more widespread, as is the typical progression of zero-days, he says.

Meanwhile, Microsoft has issued a recommended workaround for the flaw while it prepares a patch: rerouting the NDProxy service to Null.sys. FireEye suggests upgrading to the latest version of Adobe Reader and migrating the operating system to Windows 7 or higher.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Zero-Factor Authentication: Owning Our Data
Nick Selby, Chief Security Officer at Paxos Trust Company,  2/19/2020
44% of Security Threats Start in the Cloud
Kelly Sheridan, Staff Editor, Dark Reading,  2/19/2020
Firms Improve Threat Detection but Face Increasingly Disruptive Attacks
Robert Lemos, Contributing Writer,  2/20/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-02-22
graph_realtime.php in Cacti 1.2.8 allows remote attackers to execute arbitrary OS commands via shell metacharacters in a cookie, if a guest user has the graph real-time privilege.
PUBLISHED: 2020-02-22
Couchbase Server 4.x and 5.x before 6.0.0 has Insecure Permissions for the projector and indexer REST endpoints (they allow unauthenticated access).
PUBLISHED: 2020-02-22
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Samsung Galaxy S10 Firmware G973FXXS3ASJA, O(8.x), P(9.0), Q(10.0) devices with Exynos chipsets. User interaction is required to exploit this vulnerability in that the target must answer a phone call. T...
PUBLISHED: 2020-02-22
This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of D-Link DAP-1330 1.10B01 BETA Wi-Fi range extenders. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of HNAP login requests. The issue ...
PUBLISHED: 2020-02-22
This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of D-Link DAP-2610 Firmware v2.01RC067 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of passwords. The issue results from the ...