As Microsoft prepares to end support for Windows XP, a new privilege escalation exploit in the operating system has emerged, highlighting the likely upcoming security tumult once support ends. The exploit, which uses vulnerabilities in certain versions of Adobe Reader, enables an attacker to gain full administrative privileges through the Windows XP kernel. As the final date for Microsoft support of Windows XP grows closer, it also serves as a warning to developers of the enduring potential for zero-day vulnerabilities in their products.
In the wild, the vulnerability, which was discovered by FireEye Labs, allows for local privilege escalation by using a previously patched exploit in Adobe Reader 9.5.4, 10.1.6, 11.0.02 and prior versions. The shellcode decodes a privilege escalation payload from a malicious PDF and drops it in the temporary directory.
“The vulnerability is an elevation of privilege vulnerability,” Microsoft stated in an advisory acknowledging the flaw. “An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change or delete data; or create new accounts with full administrative rights.”
The future threat landscape
Effectively, the exploit provides a way around Adobe’s sandbox, several experts noted. Qualys CTO Wolfgang Kandek told Dark Reading that this type of attack, which strings together multiple vulnerabilities to deliver a workaround for security measures, is becoming more popular as vendors build more robust protections into their products.
“Most attackers need to chain together multiple vulns,” he explained. “I think this is in that spirit.”
While the vulnerability is mitigated by the fact that the attacker must already have access to the machine and can be easily prevented by updating to current versions of Adobe Reader and Windows, the fact that it is appearing in the wild may also be a harbinger of future problems for Windows XP. Microsoft will cease to provide support for the operating system on April 8, 2014, and many attackers are likely waiting with zero-days in hand to begin preying on remaining users, experts told Threatpost.
“From a security perspective, this is a really important milestone,” Microsoft spokesperson Holly Stewart told the site. “Attackers will start to have a greater advantage over defenders. There were 30 security bulletins for XP this year, which means there would have been 30 zero-day vulnerabilities on XP [without support].”
For developers, the likely flood of XP exploits and the increasingly common trend of multi-vulnerability chains are both reminders that the attempts to penetrate software’s defenses do not end when new security features are added or the program reaches the end of its life. To prevent against ongoing hacker activity, developers can strengthen their programs by building in more software security during the original development process. Using tools such as static analysis software, coders can catch errors that could lead to exploits down the line and eliminate them far before the end-of-support deadline for a product draws near.
Software news brought to you by Klocwork Inc., dedicated to helping software developers create better code with every keystroke.