Microsoft Subnet An independent Microsoft community View more

Microsoft patch stops attackers from owning PC via USB flash drive hack

Microsoft plugged a hole that would allow an attacker with a USB device to own a machine without being logged in, think Stuxnet. Besides issuing seven security updates, Microsoft announced a change in the way Windows 8 Store app security patches will be issued.

Yesterday Microsoft issued seven updates, four of them critical, to address 20 vulnerabilities in Windows, Office, Internet Explorer, SharePoint (Server Tools) and Silverlight. MS13-021 resolves nine issues in Internet Explorer. "The most severe vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited these vulnerabilities could gain the same rights as the current owner." Like MS13-022 patching Silverlight and MS13-024 plugging a hole in SharePoint, Microsoft expects to see "reliable exploits developed within the next 30 days."

USB vulnerability plugged

Cue Mission Impossible theme while thinking Stuxnet: Let's say your computer is locked and it's night. If an attacker has casual physical access to your machine, "such as a custodian sweeping your office at night or a security guard making his rounds," he or she does not need to be logged in as a user to "own your machine by inserting a malicious USB device." Microsoft plugged that vulnerability (MS13-027) and said this "update represents an expansion of our risk assessment methodology."

Microsoft quoted Law #3 of the "10 Immutable Laws of Security" that states: "If a bad guy has unrestricted physical access to your computer, it's not your computer anymore." This patch will stop an attacker from having the ability to "simply plug in a USB device to perform any action as an administrator." Microsoft added, "While this style of attack sounds like it could easily fit into the latest Brad Meltzer thriller, applying the update provides the needed protection against this issue. This is also a good reminder for companies to include physical security in their threat modeling."

If you are a worrier and wondered about also stopping an attacker from using something like Live CD to access your data, be sure you use full disk encryption to protect your machine.

Windows Store App Security Updates

Another first for Microsoft Patch Tuesday is that future Windows Store app security updates will do away with Patch Tuesday and instead be issued as they come available. Microsoft wrote, "This applies to Microsoft apps that are installed using the Windows Store and to apps like Mail, which are preinstalled with Windows 8 but updated using the Windows Store. Providing security updates to these apps more frequently will allow us to add new functionality, fix issues and improve security. This will also help developers to avoid introducing new issues during the update process."

According to the Windows Store App Updates Policy:

  • App security updates will be documented in a standing security advisory that:
    • Provides additional information and notifies customers that an update is available for them to install.
    • Is accompanied by a unique Microsoft Knowledge Base (KB) article number for reference to details about the changes.
  • When the same vulnerability affects a traditional and an app version of a software application, we will make every effort to release updates to both applications simultaneously through our normal security update release process on the second Tuesday of the month, except when customer risk justifies releasing an out-of-band update.

Traditional software updates to Windows will continue to be rolled out on Patch Tuesday.

Like this? Here's more posts:

Follow me on Twitter @PrivacyFanatic

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Related:
Must read: Hidden Cause of Slow Internet and how to fix it
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.