Windows XP zero day gives attackers a way around Adobe Sandbox

A new zero day flaw in Windows XP and Server 2003 is being exploited in the wild to bypass the sandbox on unpatched versions of Adobe Reader, security firm FireEye has reported. 

According to the firm’s analysis, the vulnerability allows for a standard user running XP SP3 to elevate privileges to admin level, allowing a targeted attack on users running Reader versions 9.5.4, 10.1.6, 11.0.02 and before using a malicious PDF.

“An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full administrative rights,” said Microsoft in a separate advisory (2914486). 

In other words, attackers hitting this flaw can beat Adobe’s sandbox by routing their sneakiness via a lower-level call through the OS itself.

The issue has been designated CVE-2013-5065 and an out-of-band patch looks like a distinct possibility given its seriousness.

“Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs,” said Microsoft’s advisory, dropping a heavy hint that early action was likely.

In order to fix the problem, users are advised to update Adobe Reader to a later version or simply abandon Windows XP for Windows 7 or 8.

News of the issue will be taken as further confirmation that users need to get off XP although privilege elevation flaws can in principle affect any OS from time to time. They have become rarer in recent years, hence their importance when they surface.

A month ago Microsoft’s Q3 Security Intelligence Report (SIR) found that XP was not only more likely to encounter malware but significantly more likely to fall prey to it all things being equal. Later versions of Windows – especially Windows 8 – are architected with a greater level of low-level security designed to beat off some attacks. 

Windows XP might be a dying operating system but it can still throw up some nasty surprises. This won’t be the last one.