Slashdot Mirror

← Back to Stories (view on slashdot.org)

System Exploitable With USB

Posted by Zonk on from the good-thing-no-one-uses-that dept.

Anonymous Coward writes "Vulnerabilities in USB drivers for Windows could allow an attacker to take control of locked workstations using a specially programmed Universal Serial Bus device." From the article: "The buffer-overflow flaw is in device drivers that Windows loads whenever USB devices are inserted into computers running Windows 32-bit operating systems, including Windows XP and Windows 2000, said Caleb Sima, chief technology officer and founder of SPI Dynamics."

3 of 310 comments (clear)

  1. Tonight at 11: by ZxCv · · Score: 5, Insightful

    Computers with physical access are susceptible to "unintended root-level access".

    --

    Perl - $Just @when->$you ${thought} s/yn/tax/ &couldn\'t %get $worse;
  2. It is not about "Windows" by jiushao · · Score: 5, Insightful
    This is just a report about the general issue that all USB drivers have to be secure or a hardware device can be made to exploit the machine. It is in no way about Windows, but actually about any operating system than implements USB.

    Sadly enough it is not at all suprising that Slashdot immediately goes for the anti-Windows slant rather than actually reading and comprehending the article and exploit in question. Too few actual axploits in Windows as of late to get up to the required quota perhaps?

    In a more direct comment about the "exploit" I don't consider it terribly important, hardware access leads to a lot of trivial expoits. This one can be made more user-friendly than most with appropriate hardware, but it is not really worse than just inserting a boot CD that copies the relevant data to a secure server or so. It can also of course easily be fixed by disallowing loading of USB drivers without confirmation from the user.

  3. What's physical access? by raehl · · Score: 5, Insightful

    Given enough time and resources, I have physical access to anything. If your computer is in a locked case, is that physically secure? In a lab that is always staffed? Behind a locked door? With a guard?

    For many situations, a computer with a locked case in a room that is staffed is considered "physically secure", as it's not likely that you'll break the physical security (lock on the case) without attracting the attention of the staff. Hell, even a computer in a staffed room in a case that has screws on it is fairly physically secure. The USB problem circumvents the physical security.

    Security is all about deterrent. My apartment has a dead bolt lock on the door. Does this mean it's impossible to break into my apartment? Of course not - it just makes it harder.

    Being able to break security on a locked computer with a USB drive is like leaving the key to your apartment under your door mat.

    --
    paintball