Microsoft flaw allows USB loaded with payload to bypass security controls

Discussion in 'other security issues & news' started by c2d, Mar 18, 2013.

Thread Status:
Not open for further replies.
  1. c2d

    c2d Registered Member

    Joined:
    Sep 26, 2007
    Posts:
    570
    Location:
    Bosnia
    Link
     
  2. Baserk

    Baserk Registered Member

    Joined:
    Apr 14, 2008
    Posts:
    1,317
    Location:
    AmstelodamUM
    Mentioned in Ronjor post Microsoft Security Bulletin Advance Notification for March 2013 link
     
  3. er34

    er34 Guest

  4. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,764
    Location:
    Outer space
    It doesn't seem to use autorun.inf:
     
  5. Kernel vulnerabilities... Why must it always be kernel vulnerabilities? :mad:
     
  6. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,852
  7. trismegistos

    trismegistos Registered Member

    Joined:
    Jan 29, 2009
    Posts:
    365
    Leo with Steve on "Security Now" podcast said that somebody could just put a thumbdrive on any public computers or to a library (those still unpatched) and boom! It is rated as Important(requires physical access) and not critical as in wormable(remote). Yet, as dangerous as the LNK exploit for Stuxnet. Or even worse because it is in the kernel mode.

    Strange indeed the patch/update was not even checked by default considering the possible dangers.
     
  8. er34

    er34 Guest

    Dear BoerenkoolMetWorst, it does use autorun.inf - otherwise there would be no way for the malware to load - the only other way is manual start which is not vulnerability/exploit/etc...

    Disabled autorun means only that if you plug the removable media (USB pen drive or memory card) it won't start automatically and will require action. However, if you plug a removable media you are supposed to use it so you will open the file explorer (e.g. Windows Explorer/MyComputers/etc...) and will start it. The only way here for a malware to spread is to have modified the media by inserting autorun.inf file, which will make Windows start certain operation [e.g. load the malware] when the user "starts" the content of that media (e.g. when the user double clicks the usb pen drive to open/access it). Because of the autorun.inf double default double clicking will result in malware starting. Right clicking the usb pen drive you might choose more option other than starting the malware, but the default option used by the majority (double clicking) will load the malware.

    The vulnerability mentioned in this thread might be related to something that if the autorun option is disabled, malware will again start automatically from the usb pen drive but this malware will again require autorun.inf file.

    The idea of Autorun Eater (very smart and small utilility I mentioed before) is monitor the removable drives for the presense of autorun.inf files which contain known malicious and suspicious commands. As soon as such file is found, AutoRun Eater can pop-up and remove it so that it stops the malware from automatic loading. I have used this software for about 2 years now and it seems it has blocked all the malicious autorun.inf files I have noticed. Autorun Eater does not block all autorun.inf files but the malicious ones only.
     
  9. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,084
    A 01/15/2013 post from the guy Microsoft credited:
    Lessons learned from 50 bugs: Common USB driver vulnerabilities
    http://seclists.org/dailydave/2013/q1/25

    USB Complete Chapter 4:
    Enumeration: How the Host Learns about Devices
    http://www.lvr.com/usbcenum.htm
     
    Last edited: Mar 22, 2013
Loading...
Thread Status:
Not open for further replies.