Customers still on Windows XP, and there are many thanks to corporate IT departments, have a number of reasons to be concerned. The biggest of which is that the operating system is scheduled to die this coming April. No, it won’t suddenly stop working, you’ll still be able to boot up your computer and continue on your merry way, but Microsoft will no longer support it. That’s important, because it means that bugs and security flaws will not be patched.
Now Microsoft is warning of one of those flaws, in the form of a new zero day vulnerability in the vintage OS. Advisory 2914486 states that the company “is investigating new reports of a vulnerability in a kernel component of Windows XP and Windows Server 2003. We are aware of limited, targeted attacks that attempt to exploit this vulnerability.” The software giant does promise that this bug does not affect newer versions of Windows, only those on XP and Server 2003 have reason for concern.
Security researchers at Sophos explain the problem as a “bug is in the NDPROXY.SYS driver, which co-ordinates the operation of Microsoft’s Telephony API (TAPI).” The researchers go on to announce that instances have been found in the wild. Sophos also claims that, due to the nature of the exploit, it presents a rather tough problem, when it comes to finding a solution. That’s never what you wish to hear, especially if you have hundreds of these systems deployed in your business.
At the moment, there is no solution for the problem. The company states only that “upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs.” In other words, all Microsoft can really do right now is tell customers to stay calm and hope for the best.