Microsoft Advisory Confirms New Windows XP Zero-Day Attack


A new zero-day vulnerability in Windows XP has been detected in limited attacks, according to Microsoft, which issued an advisory about the threat.

The Redmond, Wash., software giant said its engineers are working on a patch for the kernel-level issue, which can enable an attacker to gain privileges on a victim's system. Local access to a victim's system is required to carry out the flaw, but once an exploit is successful an attacker could install additional malware, steal or manipulate data, or create new accounts with full administrative rights, Microsoft said.

"Our investigation of this vulnerability has verified that it does not affect customers who are using operating systems newer than Windows XP and Windows Server 2003," Microsoft said in its security advisory, issued last week.

[Related: Dangers Ahead In Microsoft Dismissal Of Windows XP]

Researchers at security vendor FireEye detected the Windows local privilege escalation vulnerability targeting users of Adobe Reader running on Windows XP last week. FireEye said the attacks it detected use a malicious PDF file that exploits an older Adobe Reader vulnerability. Users should upgrade to the latest version of Adobe Reader, which prevents the attack from being successful, FireEye said.

Solution providers told CRN that the latest threat highlights the need to keep software fully updated. Business should already have a plan in place to update Windows XP systems to Windows 7 or 8, said Chris Camejo, director of consulting and professional services at managed security services provider NTT Com Security.

Camejo said there are always going to be laggards and systems in corporate environments that are forgotten. For example, Camejo and his team still occasionally detect Windows NT machines in risk assessments. Support for Windows NT ended in 2004.

"Small businesses often keep running systems for as long as they can," Camejo said. "Systems that are solely used to run billing applications or other niche programs in small offices are often not fully maintained."

Microsoft has been warning Windows XP users to upgrade to a more modern version of its operating system. Solution providers say they are working with clients to upgrade them mainly to Windows 7 systems, but some businesses are considering alternatives such as virtual desktops, Apple systems due to their popularity, or Google Chrome as a low-cost option, said John Oetinger, of Missoula Mont.-based managed service provider Corporate Technology Group. In a recent interview, Oetinger said his company's clients are weighing licensing fees and labor costs associated with upgrading.

"In most cases it's going to be a full PC replacement rather than a system upgrade," Oetinger said.

About 21 percent of the worldwide OS market consists of Windows XP systems, according to Web traffic analysis firm StatCounter. As systems age, the threats posed to them often grow, said Holly Stewart, a senior program manager at the Microsoft Malware Protection Center. Microsoft issued a report last month showing Windows XP infections far outweighing those targeting Windows 7 and Windows 8 systems. Windows XP lacks modern security controls designed to prevent malicious code from executing on systems, Stewart said.

PUBLISHED DEC. 2, 2013