System Exploitable With USB

Anonymous Coward writes "Vulnerabilities in USB drivers for Windows could allow an attacker to take control of locked workstations using a specially programmed Universal Serial Bus device." From the article: "The buffer-overflow flaw is in device drivers that Windows loads whenever USB devices are inserted into computers running Windows 32-bit operating systems, including Windows XP and Windows 2000, said Caleb Sima, chief technology officer and founder of SPI Dynamics."

Tonight at 11:

[ZxCv]

Computers with physical access are susceptible to "unintended root-level access".

It is not about "Windows"

[jiushao]

This is just a report about the general issue that all USB drivers have to be secure or a hardware device can be made to exploit the machine. It is in no way about Windows, but actually about any operating system than implements USB.

Sadly enough it is not at all suprising that Slashdot immediately goes for the anti-Windows slant rather than actually reading and comprehending the article and exploit in question. Too few actual axploits in Windows as of late to get up to the required quota perhaps?

In a more direct comment about the "exploit" I don't consider it terribly important, hardware access leads to a lot of trivial expoits. This one can be made more user-friendly than most with appropriate hardware, but it is not really worse than just inserting a boot CD that copies the relevant data to a secure server or so. It can also of course easily be fixed by disallowing loading of USB drivers without confirmation from the user.

Scary.

[oberondarksoul]

USB flash drives are already quite highly accepted amongst non-technical users; both my parents have bought pendrives, as have many of my friends. They're quite comfortable with just popping in the drive, waiting for the OS to see it, and grabbing files off it.

So, what if someone handed them a pendrive and asked them to grab some files from it, and it turns out that this pendrive would cause an attack like this? One could be switched by a black-hat, or planted, or mailed... put simply, the attacker wouldn't need physical access, just access to someone who does.

Re:Misleading first few paragraphs?

[l3v1]

Yeah, right, good ol' MS way: it's not the software's fault, it's not Windows's fault, it's USB's fault. We makes ze great softwere, you makes ze bad hardwere.

Re:Overflows are fun!

[MichaelSmith]

If someone has unrestricted physical access to your machine then you're already in serious trouble.

How about this: I lend my usb key to you so that you can transfer a file. While connected to your system the usb device cracks the security on your windows box and grabs the information I was looking for.

I don't need access to your system for that to work. I don't even have to know where it is. I have a usb key/mp3 player device which will let me reflash the firmware, so perhaps I could put the exploit in that way.

What's physical access?

[raehl]

Given enough time and resources, I have physical access to anything. If your computer is in a locked case, is that physically secure? In a lab that is always staffed? Behind a locked door? With a guard?

For many situations, a computer with a locked case in a room that is staffed is considered "physically secure", as it's not likely that you'll break the physical security (lock on the case) without attracting the attention of the staff. Hell, even a computer in a staffed room in a case that has screws on it is fairly physically secure. The USB problem circumvents the physical security.

Security is all about deterrent. My apartment has a dead bolt lock on the door. Does this mean it's impossible to break into my apartment? Of course not - it just makes it harder.

Being able to break security on a locked computer with a USB drive is like leaving the key to your apartment under your door mat.

Re:Misleading first few paragraphs?

[Linus+Torvaalds]

If it's a buffer overflow, then it's a software bug, not a problem with USB per se.

If it's a vulnerability in a driver, then it doesn't matter if Microsoft didn't write the driver, if they ship it with Windows, they are responsible for it. There's no useful distinction between "Windows" and the drivers that ship as part of Windows.

Re:Misleading first few paragraphs?

[ocelotbob]

The flaw is with drivers within windows, not the USB protocol. USB does its job, it says, "hey, I got this device on the server, its name is 8086:3429 and its a high speed device. Windows says, "okay, yeah, whatever" and starts accepting data. Unfortunately, drivers are an area where secure programming really hasn't caught on as well as it should, after all, their hardware never misbehaves and starts spewing out nonsense, right? ;3

Re:Every time I bag out Microsoft

[MichaelSmith]

This is not a Microsoft vulnerability, this is a USB vulnerability

From TFA:

The buffer-overflow flaw is in device drivers that Windows loads whenever USB devices are inserted into computers running Windows 32-bit operating systems, including Windows XP and Windows 2000, said Caleb Sima, chief technology officer and founder of SPI Dynamics.

So how can it be in all usb drivers?

Re:Similar problems...

[jonadab]

> Except that someone might have noticed their Windows 95 system
> being rebooted... oh *wait* :-)

Exactly. They might notice, but nobody's going to bat an eye. Frankly, most folks wouldn't bat an eye if they saw WinXP being rebooted either, not because it's necessary nearly as often but because people do it constantly anyway, because they've been conditioned that way. About half the population instinctively reboots at the first sign of abnormality, e.g., if the website they're trying to visit doesn't resolve because they mistyped the URI. It's likely to take a very long time for this expectation to change.