A beautiful young systems analyst pulls back from her keyboard and stretches, yawns. It’s late. Sliding into her coat, she taps out a text to her boyfriend: “Be there in 20.” As she leaves the office, silence falls, except for the hum of florescent lights above.
A squeak. A garbage can appears, pushed by an older, balding man, his eyes suspiciously alert. Setting down his mop, the man sits at the system analyst’s desk and pulls a USB key out of the pocket of his stained overalls. The silent PC hums to life as the USB key is inserted. Files scroll down the screen, and a faint smile flickers across his lips. Otlichno, he murmurs. Excellent.
Microsoft admitted Tuesday that the risk of this Hollywood-style hacking scenario is very real – and can be eliminated only via its latest Windows patch.
Yes, it almost sounds like something out of The Net, the 1995 film starring Sandra Bullock that featured a plot device relying on a backdoor passed around on floppy disks (USB drives were first shipped five years later).
As Microsoft noted in a blog post attached to its Patch Tuesday updates, one should assume that if an attacker has physical access to your computer (through theft, losing a laptop or otherwise), then a knowledgeable attacker will likely be able to crack it through any one of a variety of means. What the kernel-mode driver exploit that Microsoft patched on Tuesday – one of three “critical” vulnerabilities and seven total patches – enabled was casual physical access, of the sort that could be quickly done by a janitor or coworker.
“While this isn’t the first issue to leverage physical access and USB devices, it is different in that it doesn’t require a machine to be logged on,” the Microsoft Security Response Team (MSRC) wrote. “It also provides kernel-level code execution where previous attacks only allowed code execution at the logged-on level. Because of this, someone with casual physical access, such as a custodian sweeping your office at night or a security guard making his rounds, could simply plug in a USB device to perform any action as an administrator.”
The other two critical patches include Internet Explorer and Silverlight. Others, marked “Important,” involved vulnerabilities in Visio, OneNote and SharePoint.
Windows Store Patches, ASAP
Microsoft also detailed how it would update apps sold via the Windows Store, its source for online apps – exclusively, in the case of Windows RT. Instead of delivering them on a monthly basis on Patch Tuesday, the patches and updates will be delivered as needed.
“This applies to Microsoft apps that are installed using the Windows Store and to apps like Mail, which are preinstalled with Windows 8 but updated using the Windows Store,” Mike Reavey, senor director within the MSRC, wrote. “Providing security updates to these apps more frequently will allow us to add new functionality, fix issues and improve security. This will also help developers to avoid introducing new issues during the update process.”
This more-active approach to security patches makes sense – except perhaps for aspiring screenwriters, who will have to come up with another preposterous representation of technology hacks.
Of course, if you don’t apply Microsoft’s new patches, comrade, then it’s do svidaniya for you.
Images from the trailer for The Net, on YouTube.