It hasn’t received much attention – perhaps because Microsoft is focusing its security efforts on Windows Vista and later operating systems, as XP draws perilously close to its end of support date less than five months from now – but last week the company released a security advisory for a kernel vulnerability in Windows XP and Windows Server 2003 that reportedly has already been exploited in a limited number of attacks. The vulnerability was discovered and reported by researchers at FireEye.
Security Advisory 2914486 assures customers that they have nothing to fear if they’re using a newer OS. The problem is that, according to NetMarketShare’s statistics for November 2013, a large chunk of the population – 31.22 percent – is still using Windows XP. Lest you think that number is made up only of unsophisticated home users who are stubbornly clinging to their familiar desktop environment, a research report from VMware indicates that a whopping 94 percent of organizations in the U.K. have yet to completely migrate from Windows XP. That means there are still a large number of computers out there that have the potential to be affected by this vulnerability.
The good news is that there are some mitigating factors that make it less likely the vulnerability can be successfully exploited. It can’t be done over the Internet; the attacker has to log on locally – and it won’t work for anonymous users; the attacker also has to have a valid user name and password to log on. Thus this can be looked at more as an internal threat, but we all know that talented social engineers are good at getting into places where they aren’t supposed to be and persuading authorized users to reveal their credentials, so the risk shouldn’t be discounted entirely.
Windows Server 2003 still has another year before support ends in 2015, and organizations generally have better physical security protecting servers (and may be more diligent about applying updates), so there is probably less chance of that OS falling victim to the exploit.
If an attacker is successful, though, the consequences can be serious. The attacker would be able to elevate privileges, making it possible to run arbitrary code in kernel mode. With admin rights, the attacker would essentially control the machine and be able to install programs, steal (or modify or delete) data and otherwise do anything an administrator can do.
For those who are interested in the technical details, the problem has to do with NDProxy.sys, which is a driver that’s part of the OS kernel. When it doesn’t validate input properly, that leaves a hole through which an attacker can elevate privileges and seize control.
ITProPortal reported on November 29 that Microsoft had “released an emergency patch to close the loophole,” but no patch has yet been released. The “temporary solution” they mention actually pertains to the fact that the security advisory contains a workaround that you can implement in order to protect XP and Server 2003 systems until a patch is issued. The workaround involves disabling NDProxy.sys via a simple registry edit, which an administrator can do from the command prompt:
sc stop ndproxy
reg add HKLM\System\CurrentControlSet\Services\ndproxy /v ImagePath /t REG_EXPAND_SZ /d system32\drivers\null.sys /f
Before you do this, though, you need to consider whether you have any TAPI (Telephony Application Programming Interface) programs running on the Windows XP/Server 2003 computer. Disabling NDProxy.sys will cause them to stop working. This includes dial-up networking (probably not an issue for most users, although some still use this service), Remote Access Service (RAS) and virtual private networking (VPN), which could be more of a problem.
Microsoft may issue a security update on an upcoming Patch Tuesday, but Windows XP doesn’t have many more Patch Tuesdays left. The real “permanent solution” to this problem and those that are sure to follow is (you knew I was going to say this) to finally let go of the 12 year old operating system and update to Windows 8/8.1 or at least Windows 7. Interestingly, recent stats from Net Applications show that Windows 7’s market share is still growing despite the release of newer operating systems.
I’ve had a few stalwart XP fans tell me that they intend to keep running the OS even after support ends. One even opined that since it’s been around for so long, surely all the serious security issues have been found and fixed by now. Unfortunately, as this latest discovery shows, that’s not the case. While home users might have the luxury of living in denial, it would be foolhardy for businesses to do so. If your org doesn’t have a migration from XP already planned or in progress, it’s time to stop putting it off.