• United States



Microsoft patch stops attackers from owning PC via USB flash drive hack

Mar 13, 20134 mins
Data and Information SecurityMicrosoftSecurity

Microsoft plugged a hole that would allow an attacker with a USB device to own a machine without being logged in, think Stuxnet. Besides issuing seven security updates, Microsoft announced a change in the way Windows 8 Store app security patches will be issued.

Yesterday Microsoft issued seven updates, four of them critical, to address 20 vulnerabilities in Windows, Office, Internet Explorer, SharePoint (Server Tools) and Silverlight. MS13-021 resolves nine issues in Internet Explorer. “The most severe vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited these vulnerabilities could gain the same rights as the current owner.” Like MS13-022 patching Silverlight and MS13-024 plugging a hole in SharePoint, Microsoft expects to see “reliable exploits developed within the next 30 days.”

USB vulnerability plugged

Cue Mission Impossible theme while thinking Stuxnet: Let’s say your computer is locked and it’s night. If an attacker has casual physical access to your machine, “such as a custodian sweeping your office at night or a security guard making his rounds,” he or she does not need to be logged in as a user to “own your machine by inserting a malicious USB device.” Microsoft plugged that vulnerability (MS13-027) and said this “update represents an expansion of our risk assessment methodology.”

Microsoft quoted Law #3 of the “10 Immutable Laws of Security” that states: “If a bad guy has unrestricted physical access to your computer, it’s not your computer anymore.” This patch will stop an attacker from having the ability to “simply plug in a USB device to perform any action as an administrator.” Microsoft added, “While this style of attack sounds like it could easily fit into the latest Brad Meltzer thriller, applying the update provides the needed protection against this issue. This is also a good reminder for companies to include physical security in their threat modeling.”

If you are a worrier and wondered about also stopping an attacker from using something like Live CD to access your data, be sure you use full disk encryption to protect your machine.

Windows Store App Security Updates

Another first for Microsoft Patch Tuesday is that future Windows Store app security updates will do away with Patch Tuesday and instead be issued as they come available. Microsoft wrote, “This applies to Microsoft apps that are installed using the Windows Store and to apps like Mail, which are preinstalled with Windows 8 but updated using the Windows Store. Providing security updates to these apps more frequently will allow us to add new functionality, fix issues and improve security. This will also help developers to avoid introducing new issues during the update process.”

According to the Windows Store App Updates Policy:

  • App security updates will be documented in a standing security advisory that:
    • Provides additional information and notifies customers that an update is available for them to install.
    • Is accompanied by a unique Microsoft Knowledge Base (KB) article number for reference to details about the changes.
  • When the same vulnerability affects a traditional and an app version of a software application, we will make every effort to release updates to both applications simultaneously through our normal security update release process on the second Tuesday of the month, except when customer risk justifies releasing an out-of-band update.

Traditional software updates to Windows will continue to be rolled out on Patch Tuesday.

Like this? Here’s more posts:

  • Gov’t wielded security as a shield to deny the most FOIA requests yet under Obama
  • All-seeing Big Bro Domain Awareness System coming to all 34,000 NYPD cops
  • Microsoft: Office 2013 can now be transferred to another PC every 90 days
  • Transparency report reveals Google receives less than 1,000 NSLs yearly
  • Preserving American Privacy Act would limit domestic drone spying, ban killer drones
  • Microsoft admits to being hacked too
  • Will future surveillance include global ‘pre-crime’ machine spying on everyone?
  • Sunshine on extreme secrecy: Hear full leaked audio of Bradley Manning’s statement
  • Microsoft’s Secure Boot, Red Hat request ignites Linus Torvalds’ NSFW flame war
  • Insect assassin drones? Armed drones choosing targets? What could possibly go wrong?
  • Microsoft may not scan your email for keywords like Google, but your boss can

Follow me on Twitter @PrivacyFanatic

ms smith

Ms. Smith (not her real name) is a freelance writer and programmer with a special and somewhat personal interest in IT privacy and security issues. She focuses on the unique challenges of maintaining privacy and security, both for individuals and enterprises. She has worked as a journalist and has also penned many technical papers and guides covering various technologies. Smith is herself a self-described privacy and security freak.