Slashdot Mirror
System Exploitable With USB
Anonymous Coward writes "Vulnerabilities in USB drivers for Windows could allow an attacker to take control of locked workstations using a specially programmed Universal Serial Bus device." From the article: "The buffer-overflow flaw is in device drivers that Windows loads whenever USB devices are inserted into computers running Windows 32-bit operating systems, including Windows XP and Windows 2000, said Caleb Sima, chief technology officer and founder of SPI Dynamics."
Computers with physical access are susceptible to "unintended root-level access".
Perl - $Just @when->$you ${thought} s/yn/tax/ &couldn\'t %get $worse;
Really, how serious a threat is this? If someone has unrestricted physical access to your machine then you're already in serious trouble. We all know how breakable the NTFS file encryption is, so if they really want to get at your files, they can just reboot into Fedora from a CD, or run any other tool that circumvents the encryption. If they just want to destroy data then you can put a hammer through the hard drive, and no OS can prevent that... So, I'm not saying that this vulnerability shouldn't be fixed, but maybe they should work on making NTFS a bit stronger first - if that's even possible.
Also, does anyone else think Slashdot should have a special section for buffer overflows? They seem to spawn more stories than several of the other sections...
apterous.org
Sadly enough it is not at all suprising that Slashdot immediately goes for the anti-Windows slant rather than actually reading and comprehending the article and exploit in question. Too few actual axploits in Windows as of late to get up to the required quota perhaps?
In a more direct comment about the "exploit" I don't consider it terribly important, hardware access leads to a lot of trivial expoits. This one can be made more user-friendly than most with appropriate hardware, but it is not really worse than just inserting a boot CD that copies the relevant data to a secure server or so. It can also of course easily be fixed by disallowing loading of USB drivers without confirmation from the user.
USB flash drives are already quite highly accepted amongst non-technical users; both my parents have bought pendrives, as have many of my friends. They're quite comfortable with just popping in the drive, waiting for the OS to see it, and grabbing files off it.
So, what if someone handed them a pendrive and asked them to grab some files from it, and it turns out that this pendrive would cause an attack like this? One could be switched by a black-hat, or planted, or mailed... put simply, the attacker wouldn't need physical access, just access to someone who does.
And tomorrow the stock exchange will be the human race
Yeah, right, good ol' MS way: it's not the software's fault, it's not Windows's fault, it's USB's fault. We makes ze great softwere, you makes ze bad hardwere.
I am putting myself to the fullest possible use, which is all I can think that any conscious entity can ever hope to do.
Well there's an easy way to find out... try the exploit on OSX and Linux. I think it's quite significant that the article completely fails to mention any OS other than Windows.
:-)
In a way, I hope the identical problem is present in all of Win/Lin/OSX, as it would give us a very nice way to compare how good and quick the fixes are. I'm not too worried that Microsoft have a headstart on a fix
A pizza of radius z and thickness a has a volume of pi z z a
Given enough time and resources, I have physical access to anything. If your computer is in a locked case, is that physically secure? In a lab that is always staffed? Behind a locked door? With a guard?
For many situations, a computer with a locked case in a room that is staffed is considered "physically secure", as it's not likely that you'll break the physical security (lock on the case) without attracting the attention of the staff. Hell, even a computer in a staffed room in a case that has screws on it is fairly physically secure. The USB problem circumvents the physical security.
Security is all about deterrent. My apartment has a dead bolt lock on the door. Does this mean it's impossible to break into my apartment? Of course not - it just makes it harder.
Being able to break security on a locked computer with a USB drive is like leaving the key to your apartment under your door mat.
paintball
Really, how serious a threat is this? If someone has unrestricted physical access to your machine then you're already in serious trouble.
Surprise, it's just a little more sensationalism at eWeek. If this weren't somehow related to Microsoft Windows, then it might not have been given a front page reference here at Slashdot. Corporate espionage and cyberterrorism, oh my!
Perhaps it's intended to evoke an image of a man standing at a workstation and inserting a USB device that automatically captures all of the corporate trade secrets. It's only going to frighten those who are uninformed, as you've effectively described the entire problem. Unless the organization in charge has established an extremely secure physical environment, then their sensitive information will always be susceptible to physical espionage.
If their only layer of protection is provided by a locked Windows workstation, then a network-based attack might prove itself both less expensive and more effective, anyway.
Do you like German cars?
If it's a buffer overflow, then it's a software bug, not a problem with USB per se.
If it's a vulnerability in a driver, then it doesn't matter if Microsoft didn't write the driver, if they ship it with Windows, they are responsible for it. There's no useful distinction between "Windows" and the drivers that ship as part of Windows.
The flaw is with drivers within windows, not the USB protocol. USB does its job, it says, "hey, I got this device on the server, its name is 8086:3429 and its a high speed device. Windows says, "okay, yeah, whatever" and starts accepting data. Unfortunately, drivers are an area where secure programming really hasn't caught on as well as it should, after all, their hardware never misbehaves and starts spewing out nonsense, right? ;3
Marxism is the opiate of dumbasses
From TFA:
So how can it be in all usb drivers?
http://michaelsmith.id.au
On the other hand, I would quite mad if I had to confirm that my new keyboard and mouse should, in fact, be used. (Catch 22, hey?) Only allow plug-and-pray of anything but a very limited set of devices (user configurable?) from anything but Administrator. That would solve most of it.
I wonder when people will start poking more at Nvidia's and ATI's OpenGL drivers on all platforms. That should prove interesting, especially since the binary drivers may actually contain the same flaws on several platforms.
> Except that someone might have noticed their Windows 95 system :-)
> being rebooted... oh *wait*
Exactly. They might notice, but nobody's going to bat an eye. Frankly, most folks wouldn't bat an eye if they saw WinXP being rebooted either, not because it's necessary nearly as often but because people do it constantly anyway, because they've been conditioned that way. About half the population instinctively reboots at the first sign of abnormality, e.g., if the website they're trying to visit doesn't resolve because they mistyped the URI. It's likely to take a very long time for this expectation to change.
Cut that out, or I will ship you to Norilsk in a box.
okay, linux fans always say stuff about bugs like "they're talking about the distribution, not the kernel! that's not Linux, that's the distribution!"
/. readers would rally to say that this is not a Linux problem, but a driver problem.
So let's come to a consensus. Does Windows/Linux include what's on the CD, or just the kernel and drivers included directly in the kernel?
I have a feeling that if there were a driver bug that was in a driver NOT included in the main kernel download, but was still shipped on distro CDs,
Can't have it both ways...
How did this get modded insightful? Obviously you AND the mods did not read the article and have absolutely no idea what's going on here.
First of all there is only one USB subsystem driver for Windows. That's not actually technically correct since there are drivers for the various USB control architectures (such as UHCI, OHCI, EHCI), but they use are a small part of a larger unified USB subsystem driver.
I suspect you mistakenly thought the article was talking about the individual usb device drivers (for things like gamepads, cameras, printers, etc).
This is not what's happening at all. This is a Windows vulnerability, and actually has absolutely nothing to do with USB, other than it affects the USB subystem of the Windows (and only Windows) operating system.
There's a buffer overflow in the USB system, which allows any properly designed device to be plugged into a locked Windows computer, and execute arbitrary code (ie unlock the machine, etc).
You may think this isn't a big deal, but this is a huge deal. You can pick up USB dev kits for a couple hundred bucks that come with an FPGA, flash rom, and more. Basically for the price of one of these devices you could theoretically walk into any place where you can gain physical access to a Windows machine, and pwn it.
Everyone seems to be forgetting the real big security issue with this.
Accessing physical data on the system's hdd (whether encrypted or not) is not the major issue - accessing currently running programs is.
Example - John Q Sysadmin has a few open ssh sessions to some of his favourite boxes - locks his workstation so he can wander off somewhere. Anyone exploiting this to unlock his workstation now has access to his logged-in ssh terminals.
Yes, there are other ways to achieve this, including keyloggers, trojans, etc, but this makes it stupidly easy to walk past a random workstation, and potentially 10 seconds later have root access on any number of other boxes the user happened to be logged in as.
Remember guys - better be shutting down your ssh terms before you go to lunch!