As Ars Technica reports, Microsoft revealed the details of the serious bug in its August 2015 monthly security bulletin. Ranked as “important” in Windows Update, the company writes that it has “reason to believe” the vulnerability has been actively exploited by hackers in “targeted attacks against customers.”
The issue is based around a flaw in the Windows code responsible for mounting USB sticks. By compromising a USB stick in a specific way, an attacker could execute privileged code on a system once the stick has been connected.
The vulnerability cannot be exploited remotely as the infected drive must be connected directly to the computer before the hijacking becomes possible. Once connected, the attacker essentially has access to the computer as an administrator user.
The issue appears to be similar to the fatal Windows flaw that allowed for the disruption of Iran’s nuclear program using the Stuxnet worm that targeted Siemens industrial controllers. The attack, patched by Microsoft in 2010, was based around .LNK files that the operating system uses to display customised icons for USB drives. A major vulnerability allowed worms like Stuxnet to be spread through networks by connecting malicious USB sticks to computers.
Today’s issue is less serious as it is not remotely exploitable, unlike .LNK. Microsoft has released a tool that lets updated, protected computers log any future attempted hacks based around the flaw. With the attack in the wild, Microsoft may find it useful to be able to identify when and where exploitation attempts occur. It also allows computer users to detect if they have been targeted.
Microsoft has released 13 other security updates for Windows this month. Most users will find that they are automatically downloaded and installed by Windows Update if it is operating on the default settings.