Microsoft’s Patch Tuesday yielded an interesting security fixfor a glaring vulnerability in how the Windows kernel handles USB device enumeration. The critical vulnerability allowed potential hackers with physical access to a Windows PC to run arbitrary code with system user privileges — even while Windows was locked and users logged off.
Would-be hackers could exploit the security hole by merely inserting a specially-formatted USB flash drive with a custom device descriptor. During device detection, the Windows kernel would parse this information and execute malicious code found on such a USB drive, irrespective of autorun or AutoPlay settings. The code would run with elevated system privileges.
Microsoft’s researchers admit this attack may indicate other, similar “avenues of exploitation” — but perhaps where physical access to the host system is not required.
The vulnerability (MS13-027) is found across all versions of Windows ranging from Windows 8 to as far back as Windows XP SP2, including Windows Server variants.
Because the hack requires no user interaction and exploits how Windows kernel-mode drivers handles memory-resident objects, the security snafu could be exploited even without a logged on user or while a Windows system is locked.
Having physical access to a computer can make rooting a standard Windows box relatively straightforward; however, exploits which require only brief casual access can be dangerous, particularly in office and educational settings — a user’s privacy and security can be compromised in a matter of seconds.
Microsoft addressed this security issue in yesterday’s round of updates. Windows Update is the simplest way to install the patch, but it can also be downloaded and install manually.