Software giant Microsoft has written a patch for a huge hole in Windows which allowed attackers to use USB-connected drives to take full control of a targeted computer.
Redmond has warned that fixing the vulnerability was important, rather than critical, because the hacker needs to have physical access to the computer being attacked.
This makes it hard for hacks to spread online, but it does make it possible to carpet bomb conferences or other gatherings with booby-trapped drives which infect those present with malware. It would be expensive, and fairly obvious, but it would be possible.
Where it would be more useful is for a spook who gains access to a building to nick corporate data or sabotage computer operations.
Stuxnet showed that the physical aspect of planting USB drives or having people to take these things into facilities, does work.
Microsoft wrote that the MS13-027 series of vulnerabilities can be exploited when a maliciously formatted USB drive is inserted in to a computer.
Windows drivers need to read a specially manipulated descriptor, and the system will execute attack code with the full permissions of the operating system kernel.
Microsoft Security Response Center researchers Josh Carlson and William Peteroy wrote in the company’s blog that the vulnerability was triggered during device enumeration, no user intervention is required.
The vulnerability can be triggered when the workstation is locked or when no user is logged in, making this an un-authenticated elevation of privilege for an attacker with casual physical access to the machine.
Microsoft has closed a variety of security holes related to USB hard drives over the last few years. One of these was fixing the LNK file vulnerability that allowed Stuxnet to infect machines when a stick was plugged in.
Many company engineers have also redesigned the autorun feature that used to automatically open a window each time a removable drive was connected to stop future attacks on corporate networks.
MS13-027 is one of seven bulletins Microsoft issued as part of this month’s Patch Tuesday.