Released more than 12 years ago, Windows XP is easily the oldest major operating system still in widespread use, with considerable market share even now among government agencies and private enterprises. For a variety of reasons, from tight IT budgets to the complex logistics of upgrading thousands of endpoints to Windows 7 and/or 8, many organizations have stuck with XP and the similarly aging Windows Server 2003, even as they approach the end of mainstream support in April 2014 and July 2015, respectively.
The prospect of endless zero-day exploits cropping up in XP in 2014 has been well-documented, but recent developments have really driven home what the post-support landscape could look like. Issues affecting features such as the Adobe Sandbox demonstrate the need to move off of XP and Server 2003 as soon as possible. These older OSes lack the hardened and cutting-edge security features found in their successors, making them fundamental liabilities.
Software as old as XP and Server 2003 probably should have stopped receiving support years ago. While Microsoft and its partners could be more proactive in the future when pushing enterprises to upgrade, the current state of affairs – in terms of both support and market share – requires organizations to take the initiative and move toward more modern OSes in the most efficient way before the deadlines.
More specifically, if an upgrade cannot be made right away, organizations should be diligent about installing new Windows patches and shoring up IT security while they plan for the transition. Ultimately, these Windows end-of-life processes demonstrate how companies can better protect themselves by shifting energies away from mostly defensive strategies on old platforms and toward proactive measures naturally supported by the features of more secure OSes.
Windows vulnerability allows for remote takeover and targeting of Adobe Reader
Microsoft recently confirmed that a vulnerability in XP and Server 2003 allows local attackers to perform an escalation of privilege hack, meaning that they can obtain administrative rights. As administrators, perpetrators can delete system data, create new accounts with administrative privileges and bypass application sandboxes.
The latter capability has become particularly problematic. Attackers with access to administrator accounts can send a malicious PDF and exploit an Adobe Reader feature that is nominally enclosed by the application’s sandbox. The payload is a backdoor that allows for arbitrary code execution and communication with with a command-and-control server.
Users of XP and Server 2003 who are also running Adobe Reader versions 9.5.4, 10.1.6 or 11.0.02 are at risk. Anyone on a more recent version of Windows is likely safe. Keeping Adobe Reader up-to-date (all of the exploited versions are outdated) may also provide protection against the threats on the older platforms, but with the end of official support on the horizon, simply abandoning the older OSes altogether may be the better long term move.
It’s possible that Microsoft could issue an out-of-band patch to address this serious vulnerability, or simply include as part of an upcoming Patch Tuesday. The fix should tide over users that remain on the older platforms, but defending XP and Server 2003 against threats is becoming more difficult even with official support still available. For example, computers running XP not only encounter more malware than Windows 8 machines, they also have a much higher rate of infection.
“Computers running Windows XP in 1H13 encountered about 31 percent more malware worldwide than computers running Windows 8, but their infection rate was more than 5 times as high,” stated the executive summary of Microsoft’s Security Intelligence Report for the first half of 2013.
Upgrading is a good option because doing so removes the numerous attack surfaces in the long-studied XP and Server 2003. However, whether using an old OS or a new one, users can guard against malware like this joint Windows/Adobe exploit with cybersecurity solutions that identify and remove threats.
Exploit payload uses anti-analysis techniques
The stakes for updating and securing systems are high, given the complexity of this zero-day threat. That is, it exhibits several anti-analysis features that make it difficult to trace.
Trend Micro’s research discovered that the malware creates a separate thread for its malicious activity, deleting the original one to shield itself from debuggers. Like the growing Upatre family of exploits that compromises machines via spam email, this malware performs arbitrary code execution by exploiting a flaw in the Windows API.
With multiple threads dedicated solely to evading detection and analysis, this Windows/Adobe exploit is notable for its sophistication. Perhaps more telling, however, is its focus on outdated pieces of software.
The threat is more an indictment of inadequate upgrade and patching process than a revelation of how powerful malware has become. There are clear steps to take to protect IT assets from zero-day vulnerabilities in XP and Server 2003, but time is running out and ideally this new threat will be the impetus for upgrading.
Assessing the threats on the horizon as Windows XP and Windows Server 2003 near end-of-life
Taking a step back, the issue with XP and Server 2003 is only one example of what could happen on a regular basis once these platforms stop receiving official support. Microsoft has encouraged XP users to upgrade before April 8, 2014, beyond which point zero-day exploits could become permanent.
“From a security perspective, this [deadline] is a really important milestone,” stated Microsoft spokesperson Holly Stewart. “Attackers will start to have a greater advantage over defenders. There were 30 security bulletins for XP this year, which means there would have been 30 zero-day vulnerabilities on XP [without support].”
Moreover, attackers may have been stockpiling exploits for XP and Server 2003, content to wait-out official support and then utilize these creations against the considerable install bases of these OSes. Using older software adds an extra, unneeded layer of complexity to an already tangled security environment. Upgrading to newer solutions, applying patches in a timely fashion and utilizing anti-malware and detection software are practical steps that companies still on XP and Server 2003 can take to mitigate risk as April 2014 approaches.