Attackers actively exploiting Windows bug via malicious USB devices

In this month’s Patch Tuesday, Microsoft has released 14 bulletins and patches addressing a bucketload of vulnerabilities in a number of its products, including its new browser Edge.

The updates have all been rated either “critical” and “important”. Among the latter is one that fixes a Windows bug (CVE-2015-1769) that has apparently already been exploited in the wild in targeted attacks against customers.

“An elevation of privilege vulnerability exists when the Mount Manager component improperly processes symbolic links. An attacker who successfully exploited this vulnerability could write a malicious binary to disk and execute it,” Microsoft explained in the bulletin accompanying the patch.

“To exploit the vulnerability, an attacker would have insert a malicious USB device into a target system. The security update addresses this vulnerability by removing the vulnerable code from the component.”

The bug affects most versions of Windows – from Vista to Windows 10, both client and server versions.

An active exploit for the flaw is also available as a Metasploit module.

Microsoft didn’t offer more details about the exploits discovered in the wild, and hasn’t said who discovered the flaw and disclosed its existence to them.

Users are advised to implement the update shipped on Tuesday, which also includes an event log tool to help defenders detect attempts to use this vulnerability on their systems.

“The event log will be triggered every time a malicious USB that relies on this vulnerability, is mounted on the system. If such an event is recorded, it means that attempt to exploit the vulnerability is blocked. So once the update is installed, companies auditing event logs will be able to use this as detection mechanism,” Axel Souchet and Vishal Chauhan from MSRC Vulnerabilities and Mitigations Team explained in a blog post.




Share this