Microsoft warns of zero-day XP kernel bug being exploited in the wild

Filed Under: Featured, Malware, Microsoft, Vulnerability, Windows

Microsoft has gone public to warn about a zero-day vulnerability in the Windows XP kernel.

Apparently, the bug, dubbed CVE-2013-5065, is being exploited in the wild, though details of exactly how, where, by whom and to what effect are not known.

That makes it rather hard to decide exactly how to respond, but here's what we know so far:

  • The bug is in the NDPROXY.SYS driver, which co-ordinates the operation of Microsoft's Telephony API (TAPI).
  • The exploit doesn't allow remote code execution on its own, only an elevation of privilege (EoP).
  • The vulnerability exists in Windows XP and Server 2003 only.
  • No formal patch or Fixit has been published yet.
  • A simple registry tweak can immunise an XP computer against the vulnerability.
  • The registry tweak has some side-effects you need to know about.

Even though EoP holes aren't directly exploitable by remote attackers, cybercriminals can combine an EoP with a conventional exploit, such as a drive-by malware attack against your browser or other content-rendering software.

Learn about the various types of vulnerability, including Remote Code Execution and Elevation of Privilege:

(Audio player not working? Download MP3, or listen on Soundcloud.)

Adding an EoP to a drive-by means that the attack is no longer limited to the privileges of user whose browser (or PDF reader, Flash player or Java runtime, and so forth) gets attacked.

According to network security company FireEye, that has happened with this exploit, which the company says it has seen as part of a PDF-based attack against unpatched versions of Adobe Reader.

And this is the worst sort of EoP: it doesn't just boost you from a regular user to an administrator, but beyond.

In Microsoft's words, "an attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full administrative rights."

Running in kernel mode is like being an administrator's administrator.

What to do?

The best solution of all is to get off XP onto any later version of Windows.

We all know we probably ought to have done that already, and that we definitely ought to do so by April 2014, but we also know that not everyone is going to be able to make it by 2014, let alone right now as a response to fix this issue.

Get advice about dealing with the end of XP:

(Audio player not working? Download MP3, or listen on Soundcloud.)

If you're stuck with XP, you may be able to use Microsoft's interim workaround: prevent the buggy NDPROXY.SYS driver from loading at all.

Simply deleting the file won't do, as the Windows driver cache will helpfully restore it for you. (Anyway, deleting the file is permanent and thus a hassle to reverse if it doesn't work out.)

Microsoft's cunning plan is to tweak the registry to configure the NDProxy driver to load NULL.SYS (a special functionless driver) instead of the faulty NDPROXY.SYS executable.

You need to change (or create, if it doesn't exist) the following registry entry:

Key:          HKLM\SYSTEM\CurrentControlSet\
Value name:   ImagePath
Type:         REG_EXPAND_SZ
Set data to:  system32\DRIVERS\null.sys

When you reboot, you will be immune to this EoP exploit.

Of course, this sort of hack comes with a cost: the NDProxy service will no longer work, and therefore anything relying on TAPI won't work either.

That includes Dial Up Networking (remember that?) and RAS, which you might expect; and also Microsoft's Virtual Private Network (VPN) software, which you might not expect.

→ If you are connecting to Microsoft servers using a non-Microsoft VPN, such as the SSL or IPSEC based options offered by the Sophos UTM product, you should be able to neutralise the NDProxy service without locking yourself out of the VPN. But be sure to test things first: if you have problems, you can easily revert the change by altering the above ImagePath registry value back so it points at system32\DRIVERS\ndproxy.sys.

Don't forget to patch your non-Microsoft applications, too.

Obviously, patching other software won't fix the XP kernel hole, but we've so far only heard of one real-world attack using this EoP, and it relies on a bug in Adobe Reader.

That Reader vulnerability, as far as we know, is not a zero-day, so if you have been prompt about patching, you should be protected against it already.

Lastly, take care about opening files like PDFs that don't come from a known-good source.

FireEye isn't saying whether the attack it investigated was delivered by email or via the web, but either way, a little caution goes a long way!

NB. Sophos products detect currently-known samples of files exploiting CVE-2013-5065 as Troj/20135065-A.

, , , , , ,

You might like

16 Responses to Microsoft warns of zero-day XP kernel bug being exploited in the wild

  1. spookiewon · 676 days ago

    Okay, let me get this straight. this gives an attacker kernel access?


    • LonerVamp · 676 days ago

      Pretty much every month Microsoft patches similar privilege escalation issues, so a kernel level access is not all that exotic. It's bad, of course, but it's nothing new.

  2. Andrew · 676 days ago

    Updated to windows 7 and personally I think it is a pile of junk .!

  3. Anonymous · 676 days ago

    So, we have to upgrade ...

  4. daddylonglegz · 675 days ago

    My Advice for the average user:

    If you are currently running Windows XP, abandon ship. Come April 8th of next year it won't be supported by Microsoft (also neither will Office 2003). Upgrading to Windows 7 Pro or higher is your best bet. It is different and might take some time to get used to but everything new has a learning curve. Its a part of upgrading and it is much safer than staying on an unsupported OS. Just make sure you have a good amount of RAM (4GB +) a nice processor (i like Intel i5 i7) and a nice hard drive (you may even want to look in to Solid State Hard Drives for increased performance).

    Its those security updates you want. Windows 7 has flaws too (just like XP does) but the difference is you will be safe once the patch is applied through windows update. These patches keep you safe and make it so that many exploits/flaws found on the OS are patched and cleaned up.

    [Comment edited for length.]

    Flaws like this are scary (especially knowing if they were ever exploited on a system what could be done) but its good to know that you are safe because you took the necessary precautions and moved off XP before its EOL.

    • njorl · 673 days ago

      I'd say, as long as it's been in general use, for a couple of months, without the sky falling in, always take the latest version, when upgrading.

      At the current time, that is Windows 8.1 (but, if you've bought 8, or something that came with 8 on it, you can move up to the point release for free).

      Two reasons:

      If you think of Windows as a GUI and an operating system, later versions of the latter will be improvements upon their predecessors (or, at least as good). This, typically, includes better resistance to malware, quicker start-up, further reduced crashing incidence, and support for newer hardware. (Maybe Vista bent the rule by being a little less nimble than XP, especially on systems with limited RAM - an opinion I've heard.) The later GUI may genuinely be more irritating than the previous one, or perhaps there's just some frustration while you adjust to a new way of doing what you did perfectly easily before. However, the (Windows) GUI is rather an insignificant part of your computing experience. Your focus, nearly all of the time, is on an application (trying to find which tab of the ribbon bar provides the command you want to make, etc.). The application will look and act pretty much the same way, irrespective of the Windows GUI version. (Unless you are forced to upgrade the application along with Windows, of course, but that is very rare.)

      Microsoft will cease supporting the earlier Windows version less far into the future (earlier!), in all probability. Thus, you can stick with your upgrade version longer, should you wish.

  5. Anonymous · 675 days ago

    Well, looks like I'm going to Linux after this.

  6. ProphetZarquon · 674 days ago

    Windows 7 is not a viable option on older machines.
    Windows XP will be around until the systems running it are too slow to do anything.
    Updates to Flash, Java and other extensions have made internet browsing very slow on older machines, regardless of which OS they run.
    The typical solution is to NOT install updates, which of course leaves you vulnerable to any new exploits.
    As a result, I block most ad content at the router (as well as a long list of unwanted IPs & malicious websites), and only allow plugins to run On Demand. YouTube and most other major web services can still be accessed in a timely fashion once the unnecessary bloat has been blocked within their pages.
    Trusted websites can be whitelisted.
    With the vast majority of ads and plugin content blocked, even my old Celeron processor burdened notebook can still browse the web, check email and view YouTube videos. (Indeed, I won't even use YouTube without the ads blocked. It has become a ridiculously bloated and ad-ridden elephant, crushing older PCs under the weight of page elements no one actually needs. With ad-blocking, the worst thing I deal with is bad suggested videos.)
    Ad blocking is actually more helpful than antivirus for most internet users. A hosts file, Ad-Block Plus, a few Prompt Me settings, and Microsoft Security Essentials are all I recommend for older machines.

    • Paul Ducklin · 673 days ago

      I hear your comment about ad blocking, and I agree (see many articles on Naked Security about this) that poisoned ads are a valuable vehicle for cybercrooks to push malware on unsuspecting users.

      However, poisoned ads are far from the most likely way you'll get infected. I don't have objective figures off the top of my head, but my suspicion is that blocking ads alone might reduce your risk of malware infection by well below 10%. Compromised websites, thoughtless downloads and booby-trapped attachments are IMO a much greater risk.

      So I must warn other readers to be very sceptical of your suggestion that ad blocking is "more helpful than antivirus for most internet users." Both are valuable, but I think that *replacing* your anti-virus with an ad blocker is asking for trouble, notably on XP.

      I'm also surprised to hear anyone who is determined to stretch the life of XP on an old computer saying that because Flash and Java make things slower it therefore becomes more and more desirable to skip updates. You should be getting rid of things like Flash and Java from your browser if you are serious about security - especially on XP.

      If you're determined to stick with Windows XP (rather than migrating, say, to a lean Linux distro), start by putting your software ecosystem on a diet. You'll boost performance and security.

    • JohnJ · 673 days ago

      I'd say it depends. I took my inlaw's old single-core Sempron (AMD's Celeron if you will) laptop from XP to Win7 but when I did so I also maxed out the RAM (a whopping 2GB) and replaced the HD with an old first-gen SSD I had sitting around. The laptop still won't win any speed awards but it runs fairly good for hardware that was far from top of the line when it was new some 6+ years ago.

  7. roy jones jr · 672 days ago

    To attempt to stay using Windows XP or some old OSX is ignorant. That would be like seeing an IT person go home and still using Windows 2000 and Internet explorer 5.5 because he or she felt it was a good setup they did and don't want to change. Don't even try thinking up "scenarios" either. Read old PC articles to find out how bad it would be to use unsupported software.

    I will admit that XP worked with a lot of things. But so does Windows 7. In this case, its common sense people.

    • NONE of these comments mentions the inflated cost of upgrading to the next Windows level. It isn't just the cost of the licence, you will find that you have to buy almost a new machine becaust the upgrades require more processor power, much more RAM, bigger and faster HDD etc etc. I too think it will be Linux for me next time. Bill Gates got rich enough.

  8. Selest 13 · 672 days ago

    My advice to the average user is, buy a Mac, not more secure but in general superior, and you might enjoy owning and using a computer :)

  9. Keith · 671 days ago

    I have two XP machines that I've already disconnected from the web and will continue to use them off-line far beyond the end of support date. I have programs and software that never migrated to newer releases of Windows...and the "run in XP mode" on 7 and 8 does not accommodate most of the older software I have.

    As far as the internet goes, I have a Windows 8 machine and a CrunchBang Linux machine to keep me in touch with "the world".

  10. Charles · 581 days ago

    Microsoft just wants you to upgrade so that they can line their pockets. Every OS has flaws so if you are using XP and are happy with it, KEEP IT! It is the most solid OS that they have come out with to date. Their are millions of drivers all over the net so your old hardware will still work just fine. Personally I do like Windows 7 but absolutely hate Windows 8 and Win 8.1. Dont let them scare you off of XP. KEEP IT!!!

    • Paul Ducklin · 581 days ago

      Thing is, that from a security point of view, Windows 7 and Windows 8 are more solid, and they're more solid because they were built with security considerations that arose from the comparative insecurity of XP.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog