Microsoft pushes seven patches, including fix for "evil maid"-style attack
Microsoft on Tuesday released seven patches to eliminate 20 vulnerabilities, including one fix that addresses a scenario that even the software giant admits sounds more likely to happen in a suspense novel than in real life.
The patches -- four of which are graded "critical" and three labeled "important" -- cover issues in Windows, Office, Internet Explorer (IE), Server Tools, and Silverlight.
Most pressing to organizations is the cumulative IE patch, MS13-021, which corrects nine client-side flaws in all supported versions of the browser that could be exploited by attackers if a user is convinced into viewing a malicious web page.
But the part of the security update that has everyone talking is MS13-027, which resolves three vulnerabilities in kernel-mode drivers in Windows that could allow for privilege escalation. Those heightened privileges could then grant an attacker the ability to execute code in the kernel.
These flaws can be exploited simply by plugging in an infected USB stick into a targeted computer.
"While this isn't the first issue to leverage physical access and USB devices, it is different in that it doesn't require a machine to be logged on," wrote Dustin Childs, Microsoft's group manager of response communications, in a blog post. "It also provides kernel-level code execution, where previous attacks only allowed code execution at the logged-on level. Because of this, someone with casual physical access, such as a custodian sweeping your office at night or a security guard making his rounds, could simply plug in a USB device to perform any action as an administrator."
Childs made the distinction between what Microsoft defines us "unrestricted physical access" and "casual physical access." The latter is far more dangerous.
"This is much different than unrestricted physical access, where that same person would have to steal your machine, boot it using removable media, and decrypt files on the hard drive," he wrote. "While it may be tempting to dismiss this sort of issue since it requires physical access, again, we want to do what is best for the customer. Casual physical access combined with kernel-mode code execution represent a significant enough threat that we released an update to address this issue.
"While this style of attack sounds like it could easily fit into the latest Brad Meltzer thriller, applying the update provides the needed protection against this issue," Childs added.
Microsoft is not yet aware of any of the bugs that it patched on Tuesday being under attack in the wild.