Microsoft Patches USB-Related Flaw Used in Targeted Attacks

A vulnerability patched by Microsoft in the Windows Mount Manager is being exploited in targeted attacks.

It used to be that dropping a USB stick in a parking lot in the hope that someone plugs the malicious peripheral into an important computer was the realm of penetration testers and ambitious nation-state actors.

That’s just not so anymore. The practice has gone mainstream, even infiltrating popular hacker dramas on television.

Microsoft yesterday patched a vulnerability, MS15-085, in Windows Mount Manager, a driver in mountmgr.sys that assigns driver letters for dynamic and basic disk volumes. The flaw, Microsoft said, is being exploited in targeted attacks and patching this vulnerability should be prioritized.

Microsoft rated the vulnerability (CVE-2015-1769) “important” because it requires local access to a machine to exploit. But that shouldn’t diminish the importance of the vulnerability, experts said.

“Even in an otherwise locked down, unprivileged environments, this vulnerability can allow an attacker to run malicious code on a system if they can gain access to a USB port,” said Bobby Kuzma, systems engineer at Core Security. “Thankfully, since this attack does require physical access to a system, it’s impact is limited to specific environments and circumstances.”

The most notorious instance of advanced attackers moving malware over USB drives is of course Stuxnet. Attackers used USBs to infect computers with the malware at the Natanz uranium enrichment facility in Iran; Stuxnet-infected machines spread the malware to USBs and other peripherals connected to the computer in the hopes of spreading the attack to air-gapped machines.

This vulnerability is different, said Craig Young, a security researcher with Tripwire.

“This flaw allows someone with physical access to an unlocked machine to use the USB drive as an avenue to write files where the user normally could not,” Young said. “This makes [elevation of privilege] easy since DLLs can be written to system locations and in general executables run as SYSTEM should be replaceable with attacker code.”

Stuxnet exploited, among other vulnerabilities, a flaw in the Windows Shell that allowed local users and remote attackers to execute code using a malicious .LNK shortcut file. The vulnerability occurs because the .LNK files are not properly handled during icon display in Windows Explorer and in Siemens WinCC SCADA systems. The malware executes by merely visiting a directory hosting the .LNK file.

The .LNK vulnerability was also exploited by the Equation Group, uncovered by researchers at Kaspersky Lab, via the Fanny worm. Fanny exploits two zero days also used by Stuxnet and also spread over USB sticks to air-gapped computers.

In March, Microsoft patched the .LNK-related vulnerability again after German researcher Michael Heerklotz discovered that the original patch from August 2010 was incomplete. Heerklotz reported the bug to HP’s Zero Day Initiative, which said that Windows users had been exposed all along. Heerklotz said he found a way to bypass Microsoft’s patch by attacking other parts of the .LNK code that was not checked by the original patch.

The Mount Manager vulnerability patched yesterday is not remotely exploitable. It does allow for elevation of privilege and affects supported Windows systems, including Windows 10.

“This particular vulnerability is a great illustration of the security precept ‘If I can touch your computer, it’s not your computer anymore,'” Kuzma said. “It’s important for organizations to think about the physical security of their systems, and the access controls to prevent unauthorized users from gaining access to them. A review of policies and controls surrounding outside USB media might be a good idea.”

Microsoft announced that in addition to the patch it was also making an event log available that detects attacks against this vulnerability.

“The event log will be triggered every time a malicious USB that relies on this vulnerability, is mounted on the system. If such an event is recorded, it means that attempt to exploit the vulnerability is blocked,” Microsoft said in a blog post. “So once the update is installed, companies auditing event logs will be able to use this as detection mechanism. These events are logged under ‘System’ channel and is reported as an error.”

Suggested articles

biggest headlines 2020

The 5 Most-Wanted Threatpost Stories of 2020

A look back at what was hot with readers — offering a snapshot of the security stories that were most top-of-mind for security professionals and consumers throughout the year.