Microsoft investigating MS Windows local privilege escalation zero-day

Microsoft issued a security alert and is investigating a report issued by FireEye Labs warning of an MS Windows/Adobe Reader local privilege escalation zero-day in the wild.

In a new security alert Microsoft announced it is investigating a report issued earlier today by FireEye Labs warning of an MS Windows local privilege escalation zero-day in the wild.

The Windows local privilege escalation vulnerability FireEye Labs says it has identified, "cannot be used for remote code execution but could allow a standard user account to execute code in the kernel. Currently, the exploit appears to only work in Windows XP."

windows xp zero day

If you're running the latest versions of Adobe Reader, FireEye says that you shouldn't be affected by the exploit.

In MS Windows Local Privilege Escalation Zero-Day in The Wild, FireEye's Xiaobo Chen and Dan Caselden detail the issue:

This local privilege escalation vulnerability is used in-the-wild in conjunction with an Adobe Reader exploit that appears to target a patched vulnerability.

The exploit targets Adobe Reader 9, 10, and 11 prior to patches 11.0.02, 10.1.6, and 9.5.4 on Windows XP SP3.

In today's Security Advisory, Vulnerability in Microsoft Windows Kernel Could Allow Elevation of Privilege, Microsoft states,

Microsoft is investigating new reports of a vulnerability in a kernel component of Windows XP and Windows Server 2003. We are aware of limited, targeted attacks that attempt to exploit this vulnerability.

Our investigation of this vulnerability has verified that it does not affect customers who are using operating systems newer than Windows XP and Windows Server 2003.

The vulnerability is an elevation of privilege vulnerability. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full administrative rights.

FireEye Labs and Microsoft are working in concert on the issue, and Microsoft has assigned the issue as item CVE-2013-5065.

The mitigating factors, Microsoft said:

An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability.

The vulnerability could not be exploited remotely or by anonymous users.

FireEye Labs has slightly different approach to warning the public and offers this mitigation advice for protection:

The following actions will protect users from the in-the-wild PDF exploit:

1) Upgrade to the latest Adobe Reader
2) Upgrade to Microsoft Windows 7 or higher

In August Microsoft announced that support for Windows XP will be ending in April 2014, prompting some to refer to Windows XP as "zero day forever."