A new zero day flaw in Windows XP and Server 2003 is being exploited in the wild to bypass the sandbox on unpatched versions of Adobe Reader, security firm FireEye has reported.
According to the firm's analysis, the vulnerability allows for a standard user running XP SP3 to elevate privileges to admin level, allowing a targeted attack on users running Reader versions 9.5.4, 10.1.6, 11.0.02 and before using a malicious PDF.
"An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full administrative rights," said Microsoft in a separate advisory (2914486).
In other words, attackers hitting this flaw can beat Adobe's sandbox by routing their sneakiness via a lower-level call through the OS itself.
The issue has been designated CVE-2013-5065 and an out-of-band patch looks like a distinct possibility given its seriousness.
"Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs," said Microsoft's advisory, dropping a heavy hint that early action was likely.
Upgrades urged as answer
In order to fix the problem, users are advised to update Adobe Reader to a later version orsimply abandon Windows XP for Windows 7 or 8.
News of the issue will be taken as further confirmation that users need to get off XP although privilege elevation flaws can in principle affect any OS from time to time. They have become rarer in recent years, hence their importance when they surface.
A month ago Microsoft's Q3 Security Intelligence Report (SIR) found that XP was not only more likely to encounter malware but significantly more likely to fall prey to it all things being equal. Later versions of Windows—especially Windows 8—are architected with a greater level of low-level security designed to beat off some attacks.
Microsoft is urging all Windows XP users to upgrade because it is retiring the operating system and on April 8, 2014 will no longer supply even security upgrades.
