If your organization needed more incentive to move off Windows XP, a new zero-day vulnerability made public recently may be it.
The bug, which is being exploited in the wild, allows local privilege escalation and kernel access. But in the bigger picture, it’s another indicator that attackers might be readying a cache of attacks for the impending April 8, 2014 end-of-support deadline for the aged operating system.
Microsoft began an overt campaign with the release of its latest Security Intelligence Report explaining the dangers of keeping endpoints and servers on the OS, which is now a dozen years old.
“From a security perspective, this is a really important milestone,” Microsoft spokesperson Holly Stewart said. “Attackers will start to have a greater advantage over defenders. There were 30 security bulletins for XP this year, which means there would have been 30 zero-day vulnerabilities on XP [without support].”
In the October SIR, Microsoft said computers running XP Service Pack 3 are six times more vulnerable to malware infection than a computer running on Windows 8; Microsoft said data from its Malicious Software Removal Tool indicates that 9.1 XP computers are disinfected by MSRT versus 1.6 Windows 8 machines.
“The real story is that this zero day is just the tip of the iceberg. Malware authors today are sitting on their XP zero day vulnerabilities and attacks, because they know that after the last set of hotfixes for XP is released in April 2014 that their exploits will work forever against hundreds of thousands (millions?) of XP workstations,” wrote Rob VandenBrink on the SANS Internet Storm Center website. “If you are still running Windows XP, there is no project on your list that is more important than migrating to Windows 7 or 8. The ‘never do what you can put off until tomorrow’ project management approach on this is on a ticking clock, if you leave it until April comes you’ll be migrating during active hostilities.”
Microsoft released an advisory late Wednesday on the latest zero-day after an earlier report from security company FireEye identified the vulnerability. FireEye researchers said they found an exploit in the wild being used alongside a PDF-based exploit against a patched Adobe Reader vulnerability. Reader versions 9.5.4, 10.1.6, 11.0.02 and earlier on XP SP3 are affected, later versions are not, FireEye said, adding that this exploit gives a local user the ability to execute code in the kernel, such as install new software, manipulate data, or create new accounts. The exploit cannot be used remotely.
Microsoft said it is working on a patch and urged XP users to delete NDProxy.sys and reroute to null.sys in the system registry. NDProxy.sys is a driver that aids in the management of Microsoft Telephony API (TAPI). The mitigation will of course impact TAPI operations.
“For environments with non-default, limited user privileges, Microsoft has verified that the following workaround effectively blocks the attacks that have been observed in the wild,” Microsoft group manager Trustworthy Computing Dustin Childs said.