Get on-the-go access to the latest insights featured on our Trustworthy Computing blogs.
Today we are addressing a vulnerability in the way that the Windows USB drivers handle USB descriptors when enumerating devices. (KB 2807986). This update represents an expansion of our risk assessment methodology to recognize vulnerabilities that may require physical access, but do not require a valid logon session. Windows typically discovers USB devices when they are inserted or when they change power sources (if they switch from plugged-in power to being powered off of the USB connection itself). To exploit the vulnerability addressed by MS13-027, an attacker could add a maliciously formatted USB device to the system. When the Windows USB device drivers enumerate the device, parsing a specially crafted descriptor, the attacker could cause the system to execute malicious code in the context of the Windows kernel.
Because the vulnerability is triggered during device enumeration, no user intervention is required. In fact, the vulnerability can be triggered when the workstation is locked or when no user is logged in, making this an un-authenticated elevation of privilege for an attacker with casual physical access to the machine. Other software that enables low-level pass-through of USB device enumeration may open additional avenues of exploitation that do not require direct physical access to the system.
- Josh Carlson and William Peteroy, MSRC
Today we released seven security bulletins addressing 20 CVE’s. Four of the bulletins have a maximum severity rating of Critical, and three have a maximum severity rating of Important. We hope that the table below helps you prioritize the deployment of the updates appropriately for your environment.
(Windows USB driver)
(Visio Viewer 2010)
(Office Outlook for Mac)
- Jonathan Ness, MSRC Engineering