Microsoft plugged a hole that would allow an attacker with a USB device to own a machine without being logged in, think Stuxnet. Besides issuing seven security updates, Microsoft announced a change in the way Windows 8 Store app security patches will be issued. Yesterday Microsoft issued seven updates, four of them critical, to address 20 vulnerabilities in Windows, Office, Internet Explorer, SharePoint (Server Tools) and Silverlight. MS13-021 resolves nine issues in Internet Explorer. “The most severe vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited these vulnerabilities could gain the same rights as the current owner.” Like MS13-022 patching Silverlight and MS13-024 plugging a hole in SharePoint, Microsoft expects to see “reliable exploits developed within the next 30 days.”USB vulnerability pluggedCue Mission Impossible theme while thinking Stuxnet: Let’s say your computer is locked and it’s night. If an attacker has casual physical access to your machine, “such as a custodian sweeping your office at night or a security guard making his rounds,” he or she does not need to be logged in as a user to “own your machine by inserting a malicious USB device.” Microsoft plugged that vulnerability (MS13-027) and said this “update represents an expansion of our risk assessment methodology.”Microsoft quoted Law #3 of the “10 Immutable Laws of Security” that states: “If a bad guy has unrestricted physical access to your computer, it’s not your computer anymore.” This patch will stop an attacker from having the ability to “simply plug in a USB device to perform any action as an administrator.” Microsoft added, “While this style of attack sounds like it could easily fit into the latest Brad Meltzer thriller, applying the update provides the needed protection against this issue. This is also a good reminder for companies to include physical security in their threat modeling.” If you are a worrier and wondered about also stopping an attacker from using something like Live CD to access your data, be sure you use full disk encryption to protect your machine.Windows Store App Security Updates Another first for Microsoft Patch Tuesday is that future Windows Store app security updates will do away with Patch Tuesday and instead be issued as they come available. Microsoft wrote, “This applies to Microsoft apps that are installed using the Windows Store and to apps like Mail, which are preinstalled with Windows 8 but updated using the Windows Store. Providing security updates to these apps more frequently will allow us to add new functionality, fix issues and improve security. This will also help developers to avoid introducing new issues during the update process.”According to the Windows Store App Updates Policy: App security updates will be documented in a standing security advisory that: Provides additional information and notifies customers that an update is available for them to install. Is accompanied by a unique Microsoft Knowledge Base (KB) article number for reference to details about the changes. When the same vulnerability affects a traditional and an app version of a software application, we will make every effort to release updates to both applications simultaneously through our normal security update release process on the second Tuesday of the month, except when customer risk justifies releasing an out-of-band update.Traditional software updates to Windows will continue to be rolled out on Patch Tuesday.Like this? Here’s more posts:Gov’t wielded security as a shield to deny the most FOIA requests yet under ObamaAll-seeing Big Bro Domain Awareness System coming to all 34,000 NYPD copsMicrosoft: Office 2013 can now be transferred to another PC every 90 daysTransparency report reveals Google receives less than 1,000 NSLs yearlyPreserving American Privacy Act would limit domestic drone spying, ban killer dronesMicrosoft admits to being hacked tooWill future surveillance include global ‘pre-crime’ machine spying on everyone?Sunshine on extreme secrecy: Hear full leaked audio of Bradley Manning’s statementMicrosoft’s Secure Boot, Red Hat request ignites Linus Torvalds’ NSFW flame warInsect assassin drones? Armed drones choosing targets? What could possibly go wrong?Microsoft may not scan your email for keywords like Google, but your boss can Follow me on Twitter @PrivacyFanatic Related content news Dow Jones watchlist of high-risk businesses, people found on unsecured database A Dow Jones watchlist of 2.4 million at-risk businesses, politicians, and individuals was left unprotected on public cloud server. By Ms. Smith Feb 28, 2019 4 mins Data Breach Hacking Security news Ransomware attacks hit Florida ISP, Australian cardiology group Ransomware attacks might be on the decline, but that doesn't mean we don't have new victims. A Florida ISP and an Australian cardiology group were hit recently. By Ms. Smith Feb 27, 2019 4 mins Ransomware Security news Bare-metal cloud servers vulnerable to Cloudborne flaw Researchers warn that firmware backdoors planted on bare-metal cloud servers could later be exploited to brick a different customer’s server, to steal their data, or for ransomware attacks. By Ms. Smith Feb 26, 2019 3 mins Cloud Computing Security news Meet the man-in-the-room attack: Hackers can invisibly eavesdrop on Bigscreen VR users Flaws in Bigscreen could allow 'invisible Peeping Tom' hackers to eavesdrop on Bigscreen VR users, to discreetly deliver malware payloads, to completely control victims' computers and even to start a worm infection spreading through VR By Ms. Smith Feb 21, 2019 4 mins Hacking Vulnerabilities Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe