Microsoft’s scheduled Patch Tuesday update brings fixes to a number of vulnerabilities including one that allowed an attacker to gain elevated privilege access to a Windows PC and execute malicious code by simply inserting a USB flash drive.
The company’s monthly security update brings fix for a vulnerability (MS15-085) rated “important” that allowed hackers to take control of a system by just inserting a malicious USB flash drive. While no reports of a similar vulnerability has been reported over the past few days, Microsoft adds that it has been used in targeted attacks. Systems from Windows Vista to Windows RT 8.1 are affected by the bug, called ‘Vulnerability in Mount Manager Could Allow Elevation of Privilege (3075158)’.
“Microsoft received information about this vulnerability through coordinated vulnerability disclosure. When this security bulletin was issued, Microsoft has reason to believe that this vulnerability has been used in targeted attacks against customers,” the firm said.
Windows-powered systems are infamous for USB-related vulnerabilities. By default, the BIOS easily lets one bypass the boot sequence, and furthermore allows users access to files stored on the hard drive without much effort. Over the new Windows versions, things have become better, but it’s not enough considering a vast majority of people are still on Windows 7.
The latest patch fixes a vulnerability that arises when the Mount Manager component fails to correctly process symbolic links. “To exploit the vulnerability, an attacker would have insert[ed] a malicious USB device into a target system. The security update addresses this vulnerability by removing the vulnerable code from the component,” Microsoft noted in a security bulletin.
Apart from fixing the aforementioned vulnerability, Tuesday’s security patch also resolves 13 other shortcomings including breaches found in Microsoft Office, and even the new Edge browser. The patch, dubbed MS15-091, fixes a vulnerability which if exploited allowed an attacker to execute malicious code on an affected machine when a user visited a specially-crafted webpage. One can install the patches via Windows Update. Alternatively, the patches can be manually downloaded and installed from the company’s website.