Microsoft warns of zero-day XP kernel bug being exploited in the wild


Microsoft has gone public to warn about a zero-day vulnerability in the Windows XP kernel.

Apparently, the bug, dubbed CVE-2013-5065, is being exploited in the wild, though details of exactly how, where, by whom and to what effect are not known.

That makes it rather hard to decide exactly how to respond, but here’s what we know so far:

  • The bug is in the NDPROXY.SYS driver, which co-ordinates the operation of Microsoft’s Telephony API (TAPI).
  • The exploit doesn’t allow remote code execution on its own, only an elevation of privilege (EoP).
  • The vulnerability exists in Windows XP and Server 2003 only.
  • No formal patch or Fixit has been published yet.
  • A simple registry tweak can immunise an XP computer against the vulnerability.
  • The registry tweak has some side-effects you need to know about.

Even though EoP holes aren’t directly exploitable by remote attackers, cybercriminals can combine an EoP with a conventional exploit, such as a drive-by malware attack against your browser or other content-rendering software.

Learn about the various types of vulnerability, including Remote Code Execution and Elevation of Privilege:

(Audio player not working? Download MP3, or listen on Soundcloud.)

Adding an EoP to a drive-by means that the attack is no longer limited to the privileges of user whose browser (or PDF reader, Flash player or Java runtime, and so forth) gets attacked.

According to network security company FireEye, that has happened with this exploit, which the company says it has seen as part of a PDF-based attack against unpatched versions of Adobe Reader.

And this is the worst sort of EoP: it doesn’t just boost you from a regular user to an administrator, but beyond.

In Microsoft’s words, “an attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full administrative rights.”

Running in kernel mode is like being an administrator’s administrator.

What to do?

The best solution of all is to get off XP onto any later version of Windows.

We all know we probably ought to have done that already, and that we definitely ought to do so by April 2014, but we also know that not everyone is going to be able to make it by 2014, let alone right now as a response to fix this issue.

Get advice about dealing with the end of XP:

(Audio player not working? Download MP3, or listen on Soundcloud.)

If you’re stuck with XP, you may be able to use Microsoft’s interim workaround: prevent the buggy NDPROXY.SYS driver from loading at all.

Simply deleting the file won’t do, as the Windows driver cache will helpfully restore it for you. (Anyway, deleting the file is permanent and thus a hassle to reverse if it doesn’t work out.)

Microsoft’s cunning plan is to tweak the registry to configure the NDProxy driver to load NULL.SYS (a special functionless driver) instead of the faulty NDPROXY.SYS executable.

You need to change (or create, if it doesn’t exist) the following registry entry:

Key:          HKLM\SYSTEM\CurrentControlSet\
Value name:   ImagePath
Type:         REG_EXPAND_SZ
Set data to:  system32\DRIVERS\null.sys

When you reboot, you will be immune to this EoP exploit.

Of course, this sort of hack comes with a cost: the NDProxy service will no longer work, and therefore anything relying on TAPI won’t work either.

That includes Dial Up Networking (remember that?) and RAS, which you might expect; and also Microsoft’s Virtual Private Network (VPN) software, which you might not expect.

→ If you are connecting to Microsoft servers using a non-Microsoft VPN, such as the SSL or IPSEC based options offered by the Sophos UTM product, you should be able to neutralise the NDProxy service without locking yourself out of the VPN. But be sure to test things first: if you have problems, you can easily revert the change by altering the above ImagePath registry value back so it points at system32\DRIVERS\ndproxy.sys.

Don’t forget to patch your non-Microsoft applications, too.

Obviously, patching other software won’t fix the XP kernel hole, but we’ve so far only heard of one real-world attack using this EoP, and it relies on a bug in Adobe Reader.

That Reader vulnerability, as far as we know, is not a zero-day, so if you have been prompt about patching, you should be protected against it already.

Lastly, take care about opening files like PDFs that don’t come from a known-good source.

FireEye isn’t saying whether the attack it investigated was delivered by email or via the web, but either way, a little caution goes a long way!

NB. Sophos products detect currently-known samples of files exploiting CVE-2013-5065 as Troj/20135065-A.