0-Day Fixes

Windows kernel vulnerability could allow escalation of privilege

Details
Report ID: MAPP-CVE20135065
Date Published: 29 November 2013
Date Revised:  
Criticality: Critical
Compromise Type: privilege-escalation
Compromise From: local-system
Affected Product/Component:
Windows XP
Windows Server 2003

Summary

A vulnerability in the Windows kernel could, upon successful exploitation, allow an attacker to run arbitrary code in kernel mode.

Detailed Description

Microsoft has reported about a vulnerability affecting Windows XP and Windows Server 2003 machines, which was caused by the NDProxy.sys kernel component's failure to properly validate input. Upon successful exploitation, an attacker could be able to run arbitrary code in kernel mode. But in order to exploit this vulnerability, the attacker must have valid logon credentials and be able to log on locally. 

To mitigate the impact of this vulnerability, users are advised to reroute the NDProxy service to Null.sys. Complete instruction is available from Microsoft Security Advisory (2914486).

F-Secure detects the files taking advantage of this vulnerability with these detections:

  1. PDF:Exploit.CVE-2013-5065.A - starting in Aquarius database version 2013-11-28_06, which was released on 28 November 2013
  2. Gen:Trojan.Heur.FU.ku3@aSHWAmji - starting in Aquarius database version 2013-11-07_07, which was released on 7 November 2013

Please allow F-Secure products to block installation of files that take advantage of this vulnerability.

CVE Reference

  • CVE-2013-5065

Detected Exploit

Detections
  • PDF:Exploit.CVE-2013-5065.A
  • Gen:Trojan.Heur.FU.ku3@aSHWAmji
Databases
  • Aquarius database version 2013-11-28_06 at 14:46:12 UTC
  • Aquarius database version 2013-11-07_07 at 22:58:11 UTC
Release Dates
  • 28 November 2013
  • 7 November 2013

Solution

Microsoft recommends users to reroute the NDProxy service to Null.sys. Complete instruction is available from Microsoft Security Advisory (2914486).

Removal/Disinfection

Allow F-Secure Internet Security or F-Secure Anti-Virus to block installation of malicious files, and to remove or disinfect malicious files if found on the system.

Original Source

Microsoft Security Advisory (2914486)