-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Reference: CERT-EU Security Advisory 2013-0093 Title: Microsoft Windows local privilege escalation zero-day bypassing Adobe Reader sandbox in the wild Version history: 28.11.2013 Initial publication Summary ======= A new Windows local privilege escalation vulnerability has been identified in the wild [1]. The vulnerability cannot be used for remote code execution but could allow a standard user account to execute code in the kernel. Currently, the exploit appears to only work in Windows XP. This local privilege escaltion vulnerability is used in-the-wild in conjunction with an Adobe Reader exploit that appears to target a patched vulnerability. The exploit targets Adobe Reader 9, 10, and 11 prior to patches 11.0.02, 10.1.6, and 9.5.4 [1] on Windows XP SP3. Those running the latest versions of Adobe Reader should not be affected by this exploit. Post exploitation, the shellcode decodes a PE payload from the PDF, drops it in the temporary directory, and executes it. CVE numbers: CVE-2013-5065 Vulnerable systems ================== Adobe Reader 9, 10, and 11 prior to patches 11.0.02, 10.1.6, and 9.5.4 on: Windows XP Service Pack 3 Windows XP Professional x64 Edition Service Pack 2 Windows Server 2003 Service Pack 2 Windows Server 2003 x64 Edition Service Pack 2 Windows Server 2003 with SP2 for Itanium-based Systems What can you do? ================ The following actions will protect users from the in-the-wild PDF exploit: 1) Upgrade to the latest Adobe Reader 2) Upgrade to Microsoft Windows 7 or higher Workarounds: ================ For environments with non-default, limited user privileges, Microsoft has verified that the following workaround effectively blocks the attacks that have been observed in the wild. [1] To implement this workaround, follow these steps: 1. From an elevated command prompt, execute the following commands: sc stop ndproxy reg add HKLM\System\CurrentControlSet\Services\ndproxy /v ImagePath /t REG_EXPAND_SZ /d system32\drivers\null.sys /f 2. Restart the system. What to tell your users? ======================== N/A More information ================ [1] http://technet.microsoft.com/en-us/security/advisory/2914486 [2] http://www.adobe.com/support/security/bulletins/apsb13-07.html Best regards, CERT-EU Team (http://cert.europa.eu) Phone: +32.2.2990005 / e-mail: cert-eu@ec.europa.eu PGP KeyID 0x46AC4383 FP: 9011 6BE9 D642 DD93 8348 DAFA 27A4 06CA 46AC 4383 Privacy Statement: http://cert.europa.eu/cert/plainedition/en/cert_privacy.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQIcBAEBAgAGBQJSlwgeAAoJEPpzpNLI8SVo2V8P/0faYAAZUn4MWNJrJDNMWke+ FDSaYJf8rWUU7wYeZS3f4iSgsDo/S0olI9+kf5LJopT0eA7pbqFCLH5dp1XTHytF ylRDgBKgl5gmdPPZUsZLACXXnHTtTf1X+W9dVtr+AGwjQtIteJ2f/wRfk7BTE/8j EdkntRQi2D2pbc4f07LNgh4MD4nGFjeeDocNrqkJjvO2QfFsu8mczXcFp2eacfyE 1ecOIh27OABCDU+vdVh+gDUmb5A755hgOYex80noDhTVlJZEWnDNdIxOU1+HTn68 daL7E65Z6fbFcMW1gkgAQ22SqDrd1ABvAcpKvppqpG0xJ+04Qogv9jnS+9R3JfNG ejmJ5DNfr5wXQhLkaG5cJzc91nSA5BrHzoFGfpFg4pjb7dqK1a1csHFb7a4ykDD5 JLmVZNay8qFjVmA+zskxQr73SUa8bFeLE/L9McyAnUYBRi8asyXP419K8UDQXaoq RLaWFFZlzpyDs1KXmmEIOb+LkwPlFYO/N6NQWCsbZ0pNcnmRa2elCOyP1hHP23cS GY167lDEWvAGbVtTzWTmz3LS5z2FSTmYcbPaT9kV4v2n4Xk+ovx7SBKZmvXIQonu KlxwWSUjyHwTnh54T31fwbNPhd7tGIbEONEhWor9joC14cAOZszwfUqiAXkLp7Vc pJI/qrUDA52qAK0Oex7S =HgFS -----END PGP SIGNATURE-----