Microsoft Patches New USB Hijack Bug
Patch Tuesday (not to be confused with Fat Tuesday) is an ongoing initiative from Microsoft that implements fixes for major Windows bugs on the second Tuesday of each month. This past Tuesday (March 12), Microsoft repaired a real doozy: a vulnerability that allowed hackers to take control of a Windows machine with a simple USB-based program.
The bug was of a particularly malicious variety, since it was nearly impossible to spot and targeted the Windows kernel, which rests at the deepest and hardest-to-repair level of the operating system. Although the hijack required a malefactor to physically insert a USB into a victim's drive, it could supersede regular login protocols.
This isn’t the first USB hijack vulnerability to affect Windows. The Stuxnet cyberweapon that damaged Iran’s nuclear centrifuges in 2010 exploited Windows’ then-default setting to automatically run any application on a USB stick, a setting that was subsequently changed.
In this new case, specially crafted malware on the USB stick could trip up the running memory of the USB driver in most supported versions of Windows and exploit that to install malicious software. Microsoft was not aware of any existing exploits of the vulnerability.
A hijack that comes via a USB may seem simple enough to avoid, but handing out USB sticks at events or conferences is so commonplace that a hacker could do a lot of damage with a few dozen cheap thumb drives and a clever program. Creating code that masquerades as the standard USB interface ("Autoplay," "Open folder to view files," etc.) is exceedingly simple, and few users would be able to tell the difference until after the hijack. [See also: The 10 Biggest Online Security Myths And How to Avoid Them]
Because the hijack could not be transmitted online, Microsoft considered the fix "important" rather than "critical." Of course, after gaining control of a machine, a hacker could then cause all sorts of other online mischief, from using the computer as a spam server to stealingpasswords for financial information.
Either way, Microsoft has taken care of the problem, so users need not worry about USB sticks taking advantage of this particular vulnerability. Hackers are persistent, however, and a good old-fashioned malware scan upon inserting a new USB stick never hurt anyone.
Be sure to keep an eye on your laptop in public places as well, especially at big tech conferences or conventions. Hijackers have much more to gain there than at your local coffee shop.