Security Research & Defense

Information from Microsoft about vulnerabilities, mitigations and workarounds, active attacks, security research, tools and guidance

March, 2013

  • MS13-027: Addressing an issue in the USB driver requiring physical access

    Today we are addressing a vulnerability in the way that the Windows USB drivers handle USB descriptors when enumerating devices. (KB 2807986). This update represents an expansion of our risk assessment methodology to recognize vulnerabilities that may require physical access, but do not require a valid logon session. Windows typically discovers USB devices when they are inserted or when they change power sources (if they switch from plugged-in power to being powered off of the USB connection itself). To exploit the vulnerability addressed by MS13-027, an attacker could add a maliciously formatted USB device to the system. When the Windows USB device drivers enumerate the device, parsing a specially crafted descriptor, the attacker could cause the system to execute malicious code in the context of the Windows kernel.

    Because the vulnerability is triggered during device enumeration, no user intervention is required. In fact, the vulnerability can be triggered when the workstation is locked or when no user is logged in, making this an un-authenticated elevation of privilege for an attacker with casual physical access to the machine. Other software that enables low-level pass-through of USB device enumeration may open additional avenues of exploitation that do not require direct physical access to the system.

    - Josh Carlson and William Peteroy, MSRC

  • Assessing risk for the March 2013 security updates

    Today we released seven security bulletins addressing 20 CVE’s. Four of the bulletins have a maximum severity rating of Critical, and three have a maximum severity rating of Important. We hope that the table below helps you prioritize the deployment of the updates appropriately for your environment.

    Bulletin Most likely attack vector Max Bulletin Severity Max Exploit-ability Index Likely first 30 days impact Platform mitigations and key notes
    MS13-021

    (Internet Explorer)

    Victim browses to a malicious webpage. Critical 1 Exploit code for CVE-2013-1288, an issue affecting IE8, is publicly available. Likely to see reliable exploits developed within next 30 days for other vulnerabilities addressed by this update as well. IE 10 on Windows 7 is not affected.
    MS13-022

    (Silverlight)

    Victim browses to a malicious webpage. Critical 1 Likely to see reliable exploits developed within next 30 days. Affects Silverlight 5.
    MS13-027

    (Windows USB driver)

    Attacker physically inserts malicious USB device into victim’s workstation or server, resulting in code execution at SYSTEM. Important 1 Likely to see reliable exploits developed within next 30 days. Pre-auth code execution only possible for attacker able to physically insert malicious hardware device into victim computer. See this blog post for more background on this vulnerability.
    MS13-024

    (SharePoint 2010)

    Attacker issues a search query on the SharePoint site with malicious script in the query string. In certain circumstances, a SharePoint admin may view search queries in such a way that the script from the attacker’s search query is run in the context of the SharePoint administrator’s session. Critical 1 Likely to see reliable exploits developed within next 30 days. Affects only SharePoint Server 2010 Service Pack 1, no earlier or later versions of SharePoint.
    MS13-023

    (Visio Viewer 2010)

    Victim uses Visio Viewer 2010 to opens malicious Visio .DXF file. Critical 2 Less likely to see reliable exploit developed for this vulnerability. Visio Viewer exploits not often seen in the wild and this one looks more difficult than usual to exploit for reliable code execution. Visio itself not affected by this vulnerability directly. Only Visio Viewer 2010 affected.
    MS13-025

    (OneNote 2010)

    Attacker lures victim to open OneNote file from a malicious or attacker-controlled directory. Attacker uses this vulnerability to cause process memory from the victim’s OneNote process to be written back to the file in the attacker’s directory, potentially leaking information to the attacker. Important n/a Not possible to leverage this vulnerability for code execution directly. Information disclosure only. Affects only OneNote 2010 Service Pack 1, no earlier or later versions of OneNote. Attacker must lure victim to opening file from a server or location they control. Only information in the OneNote process at the time of user opening the malicious file could become accessible to the attacker.
    MS13-026

    (Office Outlook for Mac)

    Attacker sends victim an email with links to external content. Content is loaded without prompting user. Important n/a Not possible to leverage this vulnerability for code execution directly. Information disclosure only.  

    - Jonathan Ness, MSRC Engineering