The MS13-027 bulletin describes one of the most interesting sets of flaws that Microsoft is fixing this month. The bulletin titled “Vulnerabilities in Kernel-Mode Drivers Could Allow Elevation Of Privilege” encompasses three separate vulnerabilities (CVE-2013-1285, CVE-2013-1286 and CVE-2013-1287), all of which are labeled as “Windows USB Descriptor Vulnerability.”
“An elevation of privilege vulnerability exists when Windows USB drivers improperly handle objects in memory,” Microsoft warns. “An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode.”
Qualys CTO , Wolfgang Kandek noted that the attack vector used in the USB vulnerability was described as far back as 2009 as the “evil maid” attack.
“The attack vector is broad, encompassing anybody who has access to your unattended computer, be it the janitor at your workplace, the staff at the hotel where you are staying, or anywhere somebody with physical access can insert a USB drive into your computer,” Kandek said.
Read the full story at eSecurity Planet:
Microsoft Patch Tues Misses Pwn2own Flaws