Microsoft has released an update, during March 2013 Patch Tuesday, that addresses and prevents an attacker from inserting a malicious USB drive in an attempt to compromise a system, whether or not the system is logged into Windows or not.
“To exploit the vulnerability addressed by MS13-027 (KB2807986), an attacker could add a maliciously formatted USB device to the system. When the Windows USB device drivers enumerate the device, parsing a specially crafted descriptor, the attacker could cause the system to execute malicious code in the context of the Windows kernel,” Microsoft stated in an official blog post. No user interaction takes place during the attack, since the attack is triggered once the USB device is inserted. The vulnerability is triggered once the system is locked or when no one is logged on in the first place. This type of “un-authenticated elevation of privilege” attack has been addressed by Microsoft and a patch was released earlier today during the March 2013 Patch Tuesday. This update is rated Important and requires a restart. If you haven’t already done so, check Windows Update to snag this security fix!
Thanks for the tip Anon!