Microsoft flaw allows USB loaded with payload to bypass security controls

Link

 

Mentioned in Ronjor post Microsoft Security Bulletin Advance Notification for March 2013 link

 

Solution for home users who want to protect themselves against such things -> Autorun Eater
http://www.softpedia.com/get/Security/Secure-cleaning/Autorun-Eater.shtml

 

It doesn't seem to use autorun.inf:

 

Kernel vulnerabilities... Why must it always be kernel vulnerabilities?

 

This flaw was patched last week.

 

Leo with Steve on "Security Now" podcast said that somebody could just put a thumbdrive on any public computers or to a library (those still unpatched) and boom! It is rated as Important(requires physical access) and not critical as in wormable(remote). Yet, as dangerous as the LNK exploit for Stuxnet. Or even worse because it is in the kernel mode.

Strange indeed the patch/update was not even checked by default considering the possible dangers.

 

Dear BoerenkoolMetWorst, it does use autorun.inf - otherwise there would be no way for the malware to load - the only other way is manual start which is not vulnerability/exploit/etc...

Disabled autorun means only that if you plug the removable media (USB pen drive or memory card) it won't start automatically and will require action. However, if you plug a removable media you are supposed to use it so you will open the file explorer (e.g. Windows Explorer/MyComputers/etc...) and will start it. The only way here for a malware to spread is to have modified the media by inserting autorun.inf file, which will make Windows start certain operation [e.g. load the malware] when the user "starts" the content of that media (e.g. when the user double clicks the usb pen drive to open/access it). Because of the autorun.inf double default double clicking will result in malware starting. Right clicking the usb pen drive you might choose more option other than starting the malware, but the default option used by the majority (double clicking) will load the malware.

The vulnerability mentioned in this thread might be related to something that if the autorun option is disabled, malware will again start automatically from the usb pen drive but this malware will again require autorun.inf file.

The idea of Autorun Eater (very smart and small utilility I mentioed before) is monitor the removable drives for the presense of autorun.inf files which contain known malicious and suspicious commands. As soon as such file is found, AutoRun Eater can pop-up and remove it so that it stops the malware from automatic loading. I have used this software for about 2 years now and it seems it has blocked all the malicious autorun.inf files I have noticed. Autorun Eater does not block all autorun.inf files but the malicious ones only.

 

A 01/15/2013 post from the guy Microsoft credited:
Lessons learned from 50 bugs: Common USB driver vulnerabilities
http://seclists.org/dailydave/2013/q1/25

USB Complete Chapter 4:
Enumeration: How the Host Learns about Devices
http://www.lvr.com/usbcenum.htm