Targeted attacks are already occurring on a new Zero Day vulnerability affecting Windows XP and Windows Server 2003, Microsoft officials said.
Just prior to November 28, Microsoft issued an advisory about the bug (CVE-2013-5065), which lies in the kernel component of Windows XP and Windows Server 2003.
Exploitation could allow an elevation of privilege that gives an attacker the ability to execute code in kernel mode, then go on to “install programs; view, change or delete data; or create new accounts with full administrative rights,” the advisory said.
An attacker would still need login credentials to logon locally to exploit the vulnerability, Microsoft said.
Attacks were occurring where the kernel vulnerability ended up used in conjunction with an Adobe Reader exploit, said FireEye researchers Xiaobo Chen and Dan Caselden in a blog post.
Those running the latest versions of Adobe Reader, however, aren’t vulnerable to the exploit, which targets Adobe Reader 9.5.4, 10.1.6, 11.0.02 and earlier versions on Windows XP Service Pack 3, FireEye said.
Over the weekend, Symantec also said a “small number” of in-the-wild attacks have occurred since early November, where attackers used malicious PDFs as an attack vector. Users in the U.S., India, Australia, Saudi Arabia and throughout Europe were the targets.
In those attacks, attackers exploiting the Windows Zero Day dropped a Trojan called “Wipbot” onto victims’ systems, Symantec found. Wipbot steals system information, which then ends up shared with attackers via their control hub.
So far, Microsoft has yet to issue a fix for the vulnerability, but Dustin Childs, a spokesman for Microsoft’s Trustworthy Computing team, said in a blog post last Wednesday users could deploy a workaround for the issue by configuring the NDProxy driver.
The NDProxy driver helps users manage Microsoft’s Telephony Application Programming Interface (TAPI) for integrated computer-telephone services.