Attackers exploit a Windows flaw using a booby-trapped USB

Pierluigi Paganini August 12, 2015

Microsoft announced in the Tuesday’s bulletin that crooks have been exploiting a vulnerability that allows to execute malicious code using booby-trapped USB

Microsoft announced in the last Tuesday’s bulletin that crooks have been exploiting a vulnerability that allows to execute malicious code using booby-trapped USB.

The vulnerability affects all supported versions of Windows OS as confirmed by Microsoft.

“An elevation of privilege vulnerability exists when the Mount Manager component improperly processes symbolic links. An attacker who successfully exploited this vulnerability could write a malicious binary to disk and execute it.  To exploit the vulnerability, an attacker would have insert a malicious USB device into a target system. The security update addresses this vulnerability by removing the vulnerable code from the component.

Microsoft received information about this vulnerability through coordinated vulnerability disclosure. When this security bulletin was issued, Microsoft has reason to believe that this vulnerability has been used in targeted attacks against customers.” States Microsoft.

usb stuxnet

This vulnerability, coded as CVE-2015-1769, is reminiscent of the flaw exploited by the creators of Stuxnet as we talked in the past, it affects functions that process so-called .LNK files Windows uses to display icons when a USB stick is plugged in.

In 2010 Microsoft patched the .LNK vulnerability with MS10-046, the main difference between the vulnerability fixed with the release MS10-046 and the new one, is that MS10-046 would be exploited remotely and the new one can be exploited only locally by using a USB stick. For this reason the exploitation of the new flaw is more difficult and severity assigned to the attack isn’t the highest.

Microsoft yesterday patched the vulnerability, MS15-085, in Windows Mount Manager, a driver in mountmgr.sys that assigns driver letters for dynamic and basic disk volumes.

About the Author Elsio Pinto (@high54security) is at the moment the Lead Mcafee Security Engineer at Swiss Re, but he also as knowledge in the areas of malware research, forensics, ethical hacking. He had previous experiences in major institutions being the European Parliament one of them. He is a security enthusiast and tries his best to pass his knowledge. He also owns his own blog Mcafee Security Engineer at Swiss Re, but he also as knowledge in the areas of malware research, forensics, ethical hacking. He had previous experiences in major institutions being the European Parliament one of them. He is a security enthusiast and tries his best to pass his knowledge. He also owns his own blog http://high54security.blogspot.com/

Pierluigi Paganini

(Security Affairs – USB exploit, CVE-2015-1769)



you might also like

leave a comment