Targeted Attacks Spotted Exploiting Microsoft XP Zero-Day

  /     /     /  
Publicated : 22/11/2024   Category : security


Targeted Attacks Spotted Exploiting Microsoft XP Zero-Day


Microsoft working on a fix for newly discovered local escalation of privilege vulnerability in XP and Windows 2003



Researchers late last week discovered targeted attacks in the wild exploiting a previously unknown kernel vulnerability in Microsoft XP. Security experts say the attacks may be a sign of things to come as attackers home in on the older operating system, which Microsoft will no longer support as of April 2014.
One-fifth of all operating systems in use today are Windows XP machines, according to Microsoft, and XP machines are six times more likely to be infected by malware, even though Windows 8 and XP actually encounter the same volume of malware. That, and the fact that there will be no more patches for the 12-year-old operating system as of April 8, are making XP an even more attractive target by cyberespionage actors and, ultimately, traditional cybercriminals.
The newly discovered zero-day flaw actually involves both XP and Windows 2003, but the attacks seen in the wild by researchers at FireEye only appear to exploit XP. The local privilege escalation bug in the kernel of both OSes alone cant exploit a remote system, but can be used on an already-hijacked system to execute the malware or other attacks.
The attacks rely on a the victim opening a malicious PDF file to infect them, according to Dustin Childs, group manager for response communications with Microsofts Trustworthy Computing group. These limited, targeted attacks require users to open a malicious PDF file. While we are actively working to develop a security update to address this issue, we encourage customers running Windows XP and Server 2003 to deploy workarounds, he says, which Microsoft included in a
Security Advisory
issued on Thanksgiving eve.
FireEye researchers Xiaobo Chen and Dan Caselden say the exploit targets a patched bug in Adobe Reader 9.5.4, 10.1.6, 11.0.02, and earlier versions on Windows XP SP3, so users running updated Reader software are safe. The vulnerability cannot be used for remote code execution but could allow a standard user account to execute code in the kernel. Currently, the exploit appears to only work in Windows XP, they wrote in a blog post. Post exploitation, the shellcode decodes a PE payload from the PDF, drops it in the temporary directory, and executes it.
[Nearly half of the 1 million machines managed by enterprise mobility management firm Fiberlink for its clients are XP systems. See
Windows XP Holdouts Hold On
.]
These latest zero-day attacks are just the tip of the iceberg in attacks to come for XP, security experts say. I think well see a whole group of people looking at XP vulnerabilities, says Wolfgang Kandek, CTO at Qualys. I dont think XP is going to be very defendable for two to three months after it stops getting updated.
Kandek says it wont take much effort, either, to find new flaws in XP. Attackers can merely extrapolate some flaws in XP from patches to Internet Explorer 7, for example.
The new local privilege escalation attack basically performs an Adobe PDF sandbox escape, he says. This multiple-vulnerability chain approach is becoming popular in many new attacks, he says, mainly thanks to tighter software security features like ASLR and others that make it more difficult for exploitation. Most attackers need to chain together multiple vulns. I think this is in that spirit, he says of the new attack. The attackers now send you a document with a PDF vulnerability. They need to chain another [exploit] to it to become administrator on the targeted machine, he says.
Microsoft did not provide any additional details on the nature of the targeted attacks or the victims, but Kandek says it has all the earmarks of an advanced persistent threat (APT)-style attack. My feeling is that it was used in an APT targeted attack, he says. And next it will be exploited by mainstream attackers and become more widespread, as is the typical progression of zero-days, he says.
Meanwhile, Microsoft has issued a recommended workaround for the flaw while it prepares a patch: rerouting the NDProxy service to Null.sys. FireEye suggests upgrading to the latest version of Adobe Reader and migrating the operating system to Windows 7 or higher.
Have a comment on this story? Please click Add Your Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News

▸ Debunking Machine Learning in Security. ◂
Discovered: 23/12/2024
Category: security

▸ Researchers create BlackForest to gather, link threat data. ◂
Discovered: 23/12/2024
Category: security

▸ Travel agency fined £150,000 for breaking Data Protection Act. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Targeted Attacks Spotted Exploiting Microsoft XP Zero-Day