Microsoft Issues Warning on XP/Server 2003 0-Day

The vulnerability is an elevation of privilege. On its own it does no harm, but used in conjunction with other malware it allows malicious code to be run in kernel mode. "Running in kernel mode is like being an administrator's administrator," comments Paul Ducklin in Naked Security.

The vulnerability was first detected by FireEye. "This local privilege escalation vulnerability is used in-the-wild in conjunction with an Adobe Reader exploit that appears to target a patched vulnerability," blogged Xiaobo Chen and Dan Caselden. "The exploit targets Adobe Reader 9.5.4, 10.1.6, 11.0.02 and prior on Windows XP SP3."

Trend Micro has since obtained a sample of the malware being used "from a targeted attack. In this incident, a malicious PDF (detected as TROJ_PIDEF.GUD) exploits an Adobe vulnerability (CVE-2013-3346) referenced in APSB13-15, which was released in May of this year. This vulnerability," blogged Gelo Abendan, "is used in tandem with the Windows zero-day vulnerability  (CVE-2013-5065), resulting in a backdoor being dropped into the system."

In this particular combination, the Windows 0-day is being used with a fixed Adobe vulnerability. Fully patched Adobe users will therefore be immune. However, XP and Server 2003 users should not assume they are safe from other possible combinations.

Pending any further response, such as a formal patch, Microsoft has included a workaround in its advisory. This involves rerouting the NDProxy service to Null.sys through the Registry. The upside is that it works; but the downside is that it stops Windows services relying on TAPI (such as RAS, dial-up networking and the Windows VPN) from working.

Both XP and Server 2003 are nearing the end of their supported life with Microsoft. From April 2014 there will be no further patches. The real workaround to both this and all future XP-only vulnerabilities is simply to upgrade to a newer version of the operating system as soon as possible.

What’s Hot on Infosecurity Magazine?