Windows Vulnerability Enables Attackers to Booby-Trap USB Devices

A new vulnerability found in all Windows versions has been patched by Microsoft after it was allegedly exploited in the wild. The Mount Manager Component could allow an attacker to booby-trap a USB and execute malicious code when mounted on a Windows machine.

“An elevation of privilege vulnerability exists when the Mount Manager component improperly processes symbolic links,” reads the Security Bulletin. “An attacker who successfully exploited this vulnerability could write a malicious binary to disk and execute it.”

Marked as ‘Important’ in Microsoft’s Security Bulletin MS15-085, the vulnerability would allow attackers to infect air-gapped systems with maliciously crafted USB devices. Although it is not remotely exploitable and only offers a limited scope of attack, Microsoft reported it was successfully used in the wild.

“Microsoft received information about this vulnerability through coordinated vulnerability disclosure,” said Microsoft. “When this security bulletin was issued, Microsoft has reason to believe that this vulnerability has been used in targeted attacks against customers.”

Microsoft also announced the release of a tool designed to log attempts at exploiting the bug on patched systems, to help detect attempts to exploit it. To this end, event-auditing companies will have greater visibility into the types of threats that target them.

“The event log will be triggered every time a malicious USB that relies on this vulnerability, is mounted on the system,” reads Microsoft’s Security Research and Defense Blog. “If such an event is recorded, it means that attempt to exploit the vulnerability is blocked.”

Although no other mitigation factors or workarounds have been identified, Microsoft urges all its customers to install the update – using Windows Update – that’s currently available even in the Windows 10 cumulative update.