Trendmicro Security Labs recently published a report telling the analysis of the CVE-2014-4115 vulnerability.It revealed a complete system hijack using the malicious USB Disks.

This vulnerability was fixed by the October 2014 Patch cycle, mentioned under the bulletin MS14-063. The vulnerability was in FAT-32 disk partition driver that could enable hacker to gain admin privileges on a compromised system, with the use of a mere USB Disk drive with specially modified File system.

Explaining the unusual behavior of the vulnerability, published in the report, Trendmicro says, they had a deep analysis of the previous vulnerabilities; Stuxnet, which allowed running of shell code on windows and one other, allowing gain of admin privileges easily. Combination of both can be done simply in one go with the use of file system driver being vulnerable.

Vulnerability is found in the Filesystem driver (FASTFAT.SYS) of various versions of Windows such as Windows Vista, Windows Server 2003 and Server 2008. Fast FAT File systems are handled using this driver. The vulnerability can be triggered when a specific BIOS Parameter Block (BPB) is used to handle boot sectors in FAT-32 drives.

USB Disks commonly use FAT-32 even today.So this lead attackers to carry attack using this vulnerability. Taking example a specially modified USB is inserted to a laptop or PC of Chairman of a company, and it remained plugged in. Bad actors can control those systems from outside and potentially use them for targeted attacks.

Successful patching by the System Administrators timely would have resulted in reduction in number of victims of the attack. It was suggested in the blog report, that Enterprise System Administrators should reconsider the policies used for the USB or flash drives usage in the company.

Further the report on the blog describes in detail the vulnerability and its location, also the triggering of the vulnerability.

In the conclusion, the report tells the vulnerability to be present only in the previous versions of the Windows - Vista,Server 2003 and 2008. The latest versions - Windows 7,8 Server 2008 R2 and Server 2012 are not affected.

The Code for the patched platform in the newer versions is identical to the patch released for this vulnerability. It is supposed that this vulnerability was caused due to some Programmer error during coding or code merging. This is a clear cut indication of the fact that there could be more vulnerabilities which might be found by Binary comparisons between Windows 7 and other platforms for FASTFAT.SYS.

No exploit for this vulnerability has been found publicly till date, ruling out the black hat world.These incidents indicate the need for patch management to be quick on the part of system admins, because even some of the vulnerabilities may not be leading to immediate execution of code, may also pose serious risk on the affected systems.