Microsoft Subnet An independent Microsoft community View more

Targeted attacks spotted in the wild exploiting Windows XP zero-day

If you need another reason to upgrade from Windows XP or Server 2003, then the new zero-day exploit is the 'tip of the iceberg.'

Microsoft can preach about the evils of clinging to Windows XP all that the company wants, but the desktop operating system market share for November 2013 still shows Windows XP at over 31%, according to NetMarketShare. Windows 7 is the most popular OS, at 46.6%. What's really sad is that more users have the hated Windows Vista, 3.57%, than Microsoft's newest offering Windows 8.1, which is only on 2.64% of desktop PCs. Windows 8 came in with an unlucky 666, or 6.66%.

Yet users still stuck on XP should take note of Microsoft Security Advisory 2914486, which warns of yet another XP zero-day in the wild. Microsoft said it was aware of "limited, targeted attacks" exploiting "a vulnerability in a kernel component of Windows XP and Windows Server 2003."

The vulnerability is an elevation of privilege vulnerability. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full administrative rights.

On Nov. 27, FireEye Labs identified the new zero-day and warned:

This local privilege escalation vulnerability is used in-the-wild in conjunction with an Adobe Reader exploit that appears to target a patched vulnerability. The exploit targets Adobe Reader 9.5.4, 10.1.6, 11.0.02 and prior on Windows XP SP3. Those running the latest versions of Adobe Reader should not be affected by this exploit.

The description for CVE-2013-5065 states, "NDProxy.sys in the kernel in Microsoft Windows XP SP2 and SP3 and Server 2003 SP2 allows local users to gain privileges via a crafted application, as exploited in the wild in November 2013." NDProxy "is a system-provided driver that interfaces WAN miniport drivers, call managers, and miniport call managers to the Telephony Application Programming Interfaces (TAPI) services." Microsoft explained that "an attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full administrator rights."

A temporary fix is to reroute the NDProxy service to Null.sys, but that breaks other TAPI services such as Remote Access Service (RAS), dial-up networking, and virtual private networking (VPN).

You can keep hating Windows 8 if you want, but you must at least upgrade to Windows 7. Support for XP ends on April 8, 2014.

"The real story is that this zero day is just the tip of the iceberg. Malware authors today are sitting on their XP zero day vulnerabilities and attacks, because they know that after the last set of hotfixes for XP is released in April 2014 that their exploits will work forever against hundreds of thousands (millions?) of XP workstations," wrote Metafore's Rob VandenBrink on SANS Internet Storm Center. "If you are still running Windows XP, there is no project on your list that is more important than migrating to Windows 7 or 8. The 'never do what you can put off until tomorrow' project management approach on this is on a ticking clock, if you leave it until April comes you'll be migrating during active hostilities."

If you upgrade to Windows 8, or the newest flavor of 8.1, then you might also want to consider investing in a touchscreen monitor, an all-in-one PC, or a hybrid tablet/laptop as Microsoft, and therefore Microsoft One, believes in touch as the future.

Like this? Here's more posts:

Follow me on Twitter @PrivacyFanatic

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Must read: Hidden Cause of Slow Internet and how to fix it
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.