Trend Micro has acquired samples of an exploit targeting the recent zero-day vulnerability affecting Windows XP and Server 2003. This is an elevation of privilege vulnerability, which may allow an attacker to gain privileges that would enable him to do various activities, including deleting or viewing data, installing programs, or creating accounts with administrative privileges.
We acquired this sample from a targeted attack. In this incident, a malicious PDF (detected as TROJ_PIDEF.GUD) exploits an Adobe vulnerability (CVE-2013-3346) referenced in APSB13-15, which was released in May of this year. This vulnerability is used in tandem with the Windows zero-day vulnerability (CVE-2013-5065), resulting in a backdoor being dropped into the system. The backdoor, detected as BKDR_TAVDIG.GUD, performs several routines including downloading and executing files and posting system information to its command-and-control server.
This incident also serves as a reminder to users of the importance of shifting to the newer versions of Windows. Last April, Microsoft announced that they will discontinue its support of Windows XP by April 2014. For users, this may mean that they will no longer receive security updates provided by the software vendor. Those who are using Windows XP will be vulnerable to attacks using exploits targeting the OS version.
Users with systems running on later versions of Windows are not affected by this threat. Trend Micro protects users from this threat by detecting and deleting all related malware. We will provide further information about this vulnerability at a later time.
Update as of 9:00 AM, PST November 29, 2013
Trend Micro Deep Security protects users from threats exploiting the vulnerabilities cited in this entry via the following rules:
- 1005801 – Microsoft Windows Kernel Elevation Of Privilege Vulnerability (CVE-2013-5065)
- 1005798 – Adobe Acrobat And Reader ToolButton Remote Code Execution Vulnerability (CVE-2013-3346)