Microsoft’s latest patches address new USB hack

by Dara Kerr

A new kind of vulnerability popped up recently, one that lets hackers stick a USB thumb drive into a computer — even if it’s logged-off or locked — type out a bit of attack code and steal whatever data they want.

In an effort to avoid this type of cyberattack, Microsoft issued its monthly software patches today and included a fix for this Windows vulnerability called MS13-027. This vulnerability lets a hacker get into the computer with a thumb drive and take over administrative privileges.

“When the Windows USB device drivers enumerate the device, parsing a specially crafted descriptor, the attacker could cause the system to execute malicious code in the context of the Windows kernel,” Microsoft wrote in a blog post today. “Because the vulnerability is triggered during device enumeration, no user intervention is required. In fact, the vulnerability can be triggered when the workstation is locked or when no user is logged in, making this an un-authenticated elevation of privilege for an attacker with casual physical access to the machine.”

According to IDG News Service, security experts also view the vulnerability as a serious issue.
“You’ve seen this attack method in movies for years, and it’s now showing in enterprises all over the world,” nCircle’s director of security operations Andrew Storms said, according to IDG News Service. “The potential for harm with this vulnerability can’t be overstated.”

Microsoft issued six other patches today, four of these were categorized as critical and three were listed as important. Combined, the seven patches look to cover 20 vulnerabilities found in Internet Explorer and Microsoft’s Silverlight, Office, Windows, and more.

Share

Comments are closed.

Twitter widget by Rimon Habib - BuddyPress Expert Developer