Thursday, November 28, 2013

Zero-day Vulnerability in Microsoft Windows Kernel (2914486)



Today Microsoft has announced zero-day vulnerability in Microsoft Windows Kernel component in Microsoft Security Advisory (2914486). According to Microsoft this vulnerability is limited targeted attacks on Windows XP and Windows Server 2003 systems only. Newer then Windows XP and Windows server 2003 operating systems are not affected. This vulnerability is defined as elevation of privilege vulnerability.

On compromised systems, the attacker can exploit the system, install programs, view, and change or steal the data. The attacker can also make changes to the systems with admin privileges.

This vulnerability can not be exploited remotely or anonymous users, but the attacker must have valid logon credentials and be able to logon locally to exploit this vulnerability.

Affected Software:
Windows XP SP3
Windows XP x64 SP2
Windows Server 2003 SP2
Windows Serve x64 SP2
Windows Server 2003 SP2 Itanium-Based Systems

At this stage Microsoft doesn’t have a solution for this vulnerability and they have workaround in place.

Suggested Workaround:
According to Microsoft following workaround effectively blocks the attacks.
1. Login as administrator
      2. Launch command prompt 
      3. Execute following commands
sc stop ndproxy
reg add HKLM\System\CurrentControlSet\Services\ndproxy /v ImagePath /t REG_EXPAND_SZ /d system32\drivers\null.sys /f
       4.  Restart the machine

Effects of this workaround:
Some of the services on the machines are depended on NDProxy service. Stoping and disabling NDProxy.sys will cause those services to stop.   Services that will no longer work include Remote Access Service, dial-up networking and VPN’s.

Reverting the changes (Undo-Workaround):
To Undo the changes which was  mentioned in suggested workaround, follow following steps;
     1.  Login as administrator
2   2. Launch command prompt
3   3. Execute following commands
sc stop ndproxy
reg add HKLM\System\CurrentControlSet\Services\ndproxy /v ImagePath /t REG_EXPAND_SZ /d system32\drivers\ndproxy.sys /f
     4.  Restart the machine
Further details about Vulnerability in Microsoft Windows Kernel Could Allow Elevation of Privilege or Microsoft Security Advisory (2914486) can be found at http://technet.microsoft.com/en-us/security/advisory/2914486


Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)