From Digibase Knowledge Base
Jump to: navigation, search

Disclaimer: as technology changes, advisories may become out of date or may no longer be relevant, please refer to the "Date" section of the header to be sure the advisory is recent as pertains to your situation.

Digibase Security Advisory - Windows XP Kernel-Mode Zero-Day

Keywords: Windows XP, Microsoft, 0day, Zero Day, Adobe, Adobe Reader, PDF

DBSA ID: 2013-0009

Regarding: Windows XP Kernel-Mode Zero-Day

Writeup: Kradorex Xeron (talk) 14:56, 15 November 2013 (EST)

Date: 2013 11 29

Last Modified: 20131129215853 by Gung-ho Gun

Who should take note: Microsoft Windows users, administrators et. al, Adobe Reader users.


Priority: HIGH

Rationale: There is no patch or update available, mitigations must be taken.

Severity: HIGH

Rationale: The exploit can be leveraged to install unauthorised software or damage computer systems with highest privleges.


Rationale: All users of Microsoft Windows XP are suseptable.


The issue is two-fold and has the following characteristics, either/or may also be utilized on their own:

Adobe Reader versions equal and prior to 9.5.4, 10.1.6, 11.0.02 are vulnerable to an exploit wherein unauthorised code may be executed embedded into PDFs resulting in malicious actions being taken by the code under the users' credentials. Often times installations of Adobe Reader can go un-updated under a belief that it will automatically update and go unchecked.

Microsoft Windows XP has a zero-day vulnerability wherein a core component of Windows may be tricked into executing malicious code at the Operating System level, this exploit would result in any executed code being executed with higher privleges than Administrator resulting in malicious software being installed and/or data destruction or exposure. It is possible at this level for malicious code to remove/damage any measures such as anti-virus or software firewalls.

Both elements combined can provide a measure whereas a PDF loaded into a web browser may proceed to exploit Windows XP installations and gain highest privlege access to the operating system.

This exploit is actively being utilized "in the wild" by attackers.


All users vulnerable are advised not to open unverified PDFs or files in general on Windows XP systems or otherwise visit websites where unverified files may be loaded or access sites with questionable advertising.

Further it is advised that users update (and/or check that they are updated) to the most recent Adobe Reader to close the PDF component of this exploit.

At the time of this writing however there is no update patch for Windows XP, users and administrators should watch for a patch for KB2914486, until then only mitigation of only opening known files or programs is an option. Further mitigations for more technical users and administrators are available in the "Suggested Actions▶Workarounds" section of the Microsoft advisory noted in References.