Windows users get patch for ‘USB leak’ that attackers exploit
Microsoft has patched a leak in Windows that made it possible to put malware on a PC by inserting a prepared USB device into the computer. All variants of Windows are susceptible.
Microsoft writes in its bulletin that it has “reasons” to believe that the vulnerability has been exploited in attacks against Windows users. It has labeled the patch “important,” a step below its most urgent designation “critical,” presumably because the attack requires physical access to a PC.
The attackers were able to take advantage of the vulnerability due to the way the Mount Manager for USB devices in Windows handles symlinks. This allows attackers to transfer malicious code from the USB device to the disk and execute it.
The patch addresses the issue by removing the vulnerable code from the Mount Manager, rendering the vulnerability unusable. Microsoft has been distributing the patch to all Windows users since Vista since Tuesday.