• United States



Targeted attacks spotted in the wild exploiting Windows XP zero-day

Dec 02, 20134 mins
Data and Information SecurityMicrosoftSecurity

If you need another reason to upgrade from Windows XP or Server 2003, then the new zero-day exploit is the 'tip of the iceberg.'

Microsoft can preach about the evils of clinging to Windows XP all that the company wants, but the desktop operating system market share for November 2013 still shows Windows XP at over 31%, according to NetMarketShare. Windows 7 is the most popular OS, at 46.6%. What’s really sad is that more users have the hated Windows Vista, 3.57%, than Microsoft’s newest offering Windows 8.1, which is only on 2.64% of desktop PCs. Windows 8 came in with an unlucky 666, or 6.66%.

Yet users still stuck on XP should take note of Microsoft Security Advisory 2914486, which warns of yet another XP zero-day in the wild. Microsoft said it was aware of “limited, targeted attacks” exploiting “a vulnerability in a kernel component of Windows XP and Windows Server 2003.”

The vulnerability is an elevation of privilege vulnerability. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full administrative rights.

On Nov. 27, FireEye Labs identified the new zero-day and warned:

This local privilege escalation vulnerability is used in-the-wild in conjunction with an Adobe Reader exploit that appears to target a patched vulnerability. The exploit targets Adobe Reader 9.5.4, 10.1.6, 11.0.02 and prior on Windows XP SP3. Those running the latest versions of Adobe Reader should not be affected by this exploit.

The description for CVE-2013-5065 states, “NDProxy.sys in the kernel in Microsoft Windows XP SP2 and SP3 and Server 2003 SP2 allows local users to gain privileges via a crafted application, as exploited in the wild in November 2013.” NDProxy “is a system-provided driver that interfaces WAN miniport drivers, call managers, and miniport call managers to the Telephony Application Programming Interfaces (TAPI) services.” Microsoft explained that “an attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full administrator rights.”

A temporary fix is to reroute the NDProxy service to Null.sys, but that breaks other TAPI services such as Remote Access Service (RAS), dial-up networking, and virtual private networking (VPN).

You can keep hating Windows 8 if you want, but you must at least upgrade to Windows 7. Support for XP ends on April 8, 2014.

“The real story is that this zero day is just the tip of the iceberg. Malware authors today are sitting on their XP zero day vulnerabilities and attacks, because they know that after the last set of hotfixes for XP is released in April 2014 that their exploits will work forever against hundreds of thousands (millions?) of XP workstations,” wrote Metafore’s Rob VandenBrink on SANS Internet Storm Center. “If you are still running Windows XP, there is no project on your list that is more important than migrating to Windows 7 or 8. The ‘never do what you can put off until tomorrow’ project management approach on this is on a ticking clock, if you leave it until April comes you’ll be migrating during active hostilities.”

If you upgrade to Windows 8, or the newest flavor of 8.1, then you might also want to consider investing in a touchscreen monitor, an all-in-one PC, or a hybrid tablet/laptop as Microsoft, and therefore Microsoft One, believes in touch as the future.

Like this? Here’s more posts:

  • Hollywood’s anti-piracy propaganda turned into K-12 curriculum in California
  • How Microsoft invented, or invisibly runs, almost everything
  • Microsoft cybersecurity report warns users about the evils of clinging to XP
  • Drivers beware: Roadblocks where cops collect ‘voluntary’ blood and saliva samples
  • CryptoLocker crooks charge 10 Bitcoins for second-chance decryption service
  • That’s no poltergeist invading your privacy: Spooky spying hacks make homes seem haunted
  • Porn-surfing corporate bosses infect networks, then keep data breaches a secret
  • One million Xbox One consoles sold but Microsoft’s cloud choked on launch day
  • LG Smart TV spying, owner claims his USB filenames posted on LG servers
  • If the future is ‘One Microsoft,’ should you invest in a touchscreen monitor?
  • LG Smart TV spying whiplash: LG removes Smart Ad video and changes statement

Follow me on Twitter @PrivacyFanatic

ms smith

Ms. Smith (not her real name) is a freelance writer and programmer with a special and somewhat personal interest in IT privacy and security issues. She focuses on the unique challenges of maintaining privacy and security, both for individuals and enterprises. She has worked as a journalist and has also penned many technical papers and guides covering various technologies. Smith is herself a self-described privacy and security freak.