Windows PC flaw makes USB ports a major security risk

Tony Bradley
17 March, 2013
View more articles fromthe author

Microsoft has released seven new security bulletins in recent days, with four rated as “critical,” but security experts are particularly concerned about a flaw rated as merely “important” that exposes your Windows PCs to major risk.

Wolfgang Kandek, CTO of Qualys, notes in a blog post that the number of security bulletins is about par for the course for Microsoft. He adds, “In technical terms though we are seeing some interesting vulnerabilities that definitely rate higher-than-average.”

For starters, there is a cumulative security update for Internet Explorer (MS13-021). It addresses nine separate vulnerabilities, one of which has had exploit code circulating in the wild for the past month. Kandek urges IT admins to apply this update as soon as possible.

“Every supported version of Internet Explorer (6 through 10) is affected, thus implicitly making all supported Windows platforms (including Windows RT) a target for attackers,” points out BeyondTrust CTO Marc Maiffret.

According to Paul Henry, security and forensic analyst at Lumension, the second priority should be MS13-022 – a “critical” security bulletin that deals with a remote code execution vulnerability in Silverlight 5. Simply browsing to a website with malicious content with a vulnerable version of Silverlight is all it takes to become a victim of this attack.

Possibly the most interesting of the seven security bulletins, though, is MS13-027. Microsoft only rates it as “important” because the attack requires physical access to the vulnerable machine. Andrew Storms, director of security operations for nCircle (currently in the process of being acquired by Tripwire), explains that this flaw allows anyone with a USB thumb drive loaded with the attack code to bypass security controls and access a vulnerable system even if AutoRun is disabled, and the screen is locked.

Storms cautions, “Just imagine what a properly motivated janitorial staff could do with this vulnerability in just one evening. This vulnerability also seriously impacts security on all those public kiosks and co-location centers that don’t have locked cabinets. The potential for harm with this vulnerability can’t be overstated.”

Security experts agree that MS13-021, MS13-022, and MS13-027 pose a very serious threat and should be addressed immediately. As with any Patch Tuesday, you should review all of the security bulletins to determine the potential impact to your systems, and prioritize the patches accordingly.

While you’re at it, Adobe has released a new version of their Flash player, which addresses four critical vulnerabilities. Make sure you take a look at that and update Flash player as soon as possible as well.


By Tony Bradley, PC World.

One Comment

One person was compelled to have their say. We encourage you to do the same..

  1. symbolset says:

    USB ports have always been a security risk. The DMA aspect of the USB standard guarantees exploitability on any exposed USB port, no matter the OS. This update will not change that. But at least the USB ports won’t have extra software security holes above and beyond their inherent risk, so install it.

    If you’re serious about Enterprise IT and the hardware might be exposed to somebody with ill intent, desolder the USB headers, put epoxy in the ports, or otherwise do away with USB because otherwise they’re gonna get ya. Exposed USB ports are a gimme.

Leave a Comment

Please keep your comments friendly on the topic.

Contact us