Attackers are actively exploiting a vulnerability present in every version of Windows, allowing them to execute malicious code on a victims machine when the target mounts a simple USB device on their computer, Microsoft warned in their patch Tuesday bulletin.
According to Microsoft officials, the Tuesday bulletin states:
“An elevation of privilege vulnerability exists when the Mount Manager component improperly processes symbolic links. An attacker who successfully exploited this vulnerability could write a malicious binary to disk and execute it.
“To exploit the vulnerability, an attacker would have insert a malicious USB device into a target system. The security update addresses this vulnerability by removing the vulnerable code from the component.
“Microsoft received information about this vulnerability through coordinated vulnerability disclosure. When this security bulletin was issued, Microsoft has reason to believe that this vulnerability has been used in targeted attacks against customers.”
The vulnerability is similar to a critical flaw exploited back around 2008, by an NSA-affiliated hacking group known as Equation Group who later became the developers behind the massively popular Stuxnet computer worm that plagued Iran’s nuclear program. Due to the vulnerability, attackers were able unleash the sophisticated malware that spread from one computer to another every time a malicious USB drive was plugged in.
The vulnerability resides in a function that processes .LNK files, which Windows uses to display icons when a USB drive is plugged in. Back in 2010 Microsoft issued a patch for the .LNK vulnerability, where company officials marked the vulnerability as “critical”, the highest of their severity ratings. The severity rating fit the vulnerability as it had the capabilities to infect air-gapped computers, or computers isolated from any outside network.
However, in Microsoft’s latest patch Tuesday, they marked the vulnerability “important”, the company’s second-highest severity rating. The reason behind this appears to be unknown, however many researchers have given fair speculation on why.
According to Martijn Grooten, a researcher over at Virus Bulletin, the .LNK vulnerability was remotely exploitable, allowing attackers the ability to infect millions of machines. However, the bug patched Tuesday appears to have required a physical USB drive to be plugged in for successful infection, greatly limiting the vulnerabilities scope. Presumably why Microsoft dropped the rating just one notch.
In addition to fixing the USB vulnerability, Microsoft also released a software that allows patched computers to log attempts when a USB tries to exploit the bug. Making it much easier for people to know if they are target for an attack.
Microsoft’s latest patch for the USB vulnerability was one of 14 patches Microsoft released in accordance to their monthly update cycle. What’s particularly striking about the recent patch is Microsoft generally gives credit to the researcher who disclosed the vulnerability, however, the company chose not to elaborate on how they identified the vulnerability aside from noting it came “through coordinated vulnerability disclosure.”