Eng
  1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar


Vulnerability protection

Windows kernel vulnerability could allow escalation of privilege


Report ID: MAPP-CVE20135065
Date Published: 29 November 2013
Date Revised:

Criticality: Critical
Compromise Type: privilege-escalation
Compromise From: local-system


Affected Product/Component:

Windows XP
Windows Server 2003




Summary

A vulnerability in the Windows kernel could, upon successful exploitation, allow an attacker to run arbitrary code in kernel mode.



Detailed Description

Microsoft has reported about a vulnerability affecting Windows XP and Windows Server 2003 machines, which was caused by the NDProxy.sys kernel component's failure to properly validate input. Upon successful exploitation, an attacker could be able to run arbitrary code in kernel mode. But in order to exploit this vulnerability, the attacker must have valid logon credentials and be able to log on locally. 

To mitigate the impact of this vulnerability, users are advised to reroute the NDProxy service to Null.sys. Complete instruction is available from Microsoft Security Advisory (2914486).

F-Secure detects the files taking advantage of this vulnerability with these detections:

  1. PDF:Exploit.CVE-2013-5065.A - starting in Aquarius database version 2013-11-28_06, which was released on 28 November 2013
  2. Gen:Trojan.Heur.FU.ku3@aSHWAmji - starting in Aquarius database version 2013-11-07_07, which was released on 7 November 2013

Please allow F-Secure products to block installation of files that take advantage of this vulnerability.



CVE Reference

CVE-2013-5065



Detected Exploit

Detections
PDF:Exploit.CVE-2013-5065.A
Gen:Trojan.Heur.FU.ku3@aSHWAmji

Databases
Aquarius database version 2013-11-28_06 at 14:46:12 UTC
Aquarius database version 2013-11-07_07 at 22:58:11 UTC

Release Dates
28 November 2013
7 November 2013



Solution

Microsoft recommends users to reroute the NDProxy service to Null.sys. Complete instruction is available from Microsoft Security Advisory (2914486).

 

Removal/Disinfection
Allow F-Secure Internet Security or F-Secure Anti-Virus to block installation of malicious files, and to remove or disinfect malicious files if found on the system.



Additional Info

-



Online Scanner

 Scan and clean your PC

 

Submit a sample

Wondering if a file or URL is malicious?

Submit a sample to our Lab for analysis via the Sample Analysis System (SAS)