Targeted Attacks Spotted Exploiting Microsoft XP Zero-Day

Microsoft working on a fix for newly discovered local escalation of privilege vulnerability in XP and Windows 2003

Researchers late last week discovered targeted attacks in the wild exploiting a previously unknown kernel vulnerability in Microsoft XP. Security experts say the attacks may be a sign of things to come as attackers home in on the older operating system, which Microsoft will no longer support as of April 2014.

One-fifth of all operating systems in use today are Windows XP machines, according to Microsoft, and XP machines are six times more likely to be infected by malware, even though Windows 8 and XP actually encounter the same volume of malware. That, and the fact that there will be no more patches for the 12-year-old operating system as of April 8, are making XP an even more attractive target by cyberespionage actors and, ultimately, traditional cybercriminals.

The newly discovered zero-day flaw actually involves both XP and Windows 2003, but the attacks seen in the wild by researchers at FireEye only appear to exploit XP. The local privilege escalation bug in the kernel of both OSes alone can't exploit a remote system, but can be used on an already-hijacked system to execute the malware or other attacks.

The attacks rely on a the victim opening a malicious PDF file to infect them, according to Dustin Childs, group manager for response communications with Microsoft's Trustworthy Computing group. "These limited, targeted attacks require users to open a malicious PDF file. While we are actively working to develop a security update to address this issue, we encourage customers running Windows XP and Server 2003 to deploy" workarounds, he says, which Microsoft included in a Security Advisory issued on Thanksgiving eve.

FireEye researchers Xiaobo Chen and Dan Caselden say the exploit targets a patched bug in Adobe Reader 9.5.4, 10.1.6, 11.0.02, and earlier versions on Windows XP SP3, so users running updated Reader software are safe. "The vulnerability cannot be used for remote code execution but could allow a standard user account to execute code in the kernel. Currently, the exploit appears to only work in Windows XP," they wrote in a blog post. "Post exploitation, the shellcode decodes a PE payload from the PDF, drops it in the temporary directory, and executes it."

[Nearly half of the 1 million machines managed by enterprise mobility management firm Fiberlink for its clients are XP systems. See Windows XP Holdouts Hold On.]

These latest zero-day attacks are just the tip of the iceberg in attacks to come for XP, security experts say. "I think we'll see a whole group of people looking at XP vulnerabilities," says Wolfgang Kandek, CTO at Qualys. "I don't think XP is going to be very defendable for two to three months after it stops getting updated."

Kandek says it won't take much effort, either, to find new flaws in XP. Attackers can merely extrapolate some flaws in XP from patches to Internet Explorer 7, for example.

The new local privilege escalation attack basically performs an Adobe PDF sandbox escape, he says. This multiple-vulnerability chain approach is becoming popular in many new attacks, he says, mainly thanks to tighter software security features like ASLR and others that make it more difficult for exploitation. "Most attackers need to chain together multiple vulns. I think this is in that spirit," he says of the new attack. "The attackers now send you a document with a PDF vulnerability. They need to chain another [exploit] to it to become administrator" on the targeted machine, he says.

Microsoft did not provide any additional details on the nature of the targeted attacks or the victims, but Kandek says it has all the earmarks of an advanced persistent threat (APT)-style attack. "My feeling is that it was used in an APT targeted attack," he says. And next it will be exploited by mainstream attackers and become more widespread, as is the typical progression of zero-days, he says.

Meanwhile, Microsoft has issued a recommended workaround for the flaw while it prepares a patch: rerouting the NDProxy service to Null.sys. FireEye suggests upgrading to the latest version of Adobe Reader and migrating the operating system to Windows 7 or higher.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

About the Author(s)

Kelly Jackson Higgins, Editor-in-Chief, Dark Reading

Kelly Jackson Higgins is the Editor-in-Chief of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, Virginia Business magazine, and other major media properties. Jackson Higgins was recently selected as one of the Top 10 Cybersecurity Journalists in the US, and named as one of Folio's 2019 Top Women in Media. She began her career as a sports writer in the Washington, DC metropolitan area, and earned her BA at William & Mary. Follow her on Twitter @kjhiggins.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights