The following cyber advisory was issued by the New York State Office of Cyber Security (OCS) and is
intended for State government entities. The information may or may not be applicable to the
general public and accordingly, the State does not warrant its use for any specific purposes.



Vulnerabilities in Kernel-Mode Drivers Could Allow Elevation Of Privilege (2807986)


Multiple vulnerabilities have been discovered in Microsoft Windows which could allow an attacker to gain system level access with a specially crafted USB device. Once the USB key is inserted, it makes the system execute specially crafted code at the Windows kernel level. An attacker could then install programs; view, change, or delete data; or create new accounts.


  • Windows XP SP 3
  • Windows XP x64 SP 2
  • Windows Server 2003 and Itanium based systems SP 2
  • Windows Server 2003 x64 SP 2
  • Windows Vista, Vista x64 SP 2
  • Windows Server 2008 32-bit, x64 and Itanium based systems SP 2
  • Windows Server 2008 R2 x64, Itanium
  • Windows Server 2008 R2 Itanium SP 1
  • Windows 8 32-bit, 64-bit
  • Windows server 2012
  • Windows server core 2008 32-bit and x64 SP 2
  • Windows server core 2008 R2 x64
  • Windows server core 2008 R2 x64 SP1
  • Windows server core 2012
  • Windows 7 32-bit and x64 SP 1


  • Large and medium government entities: High
  • Small government entities: High


  • Large and medium business entities: High
  • Small business entities: High

Home users: High

When Windows USB drivers improperly handle objects in memory, an elevation of privilege vulnerability exists. An attacker who successfully exploits this vulnerability then could run specially crafted code in kernel mode. The Windows kernel is the core of the operating system. It provides system-level services such as device management and memory management, allocates processor time to processes, and manages error handling. With access to these services, an attacker could install programs; view, change, or delete data; or create new accounts with full administrative rights.

Because the vulnerability is triggered during device port communications and low level pass through, no user intervention is required. The vulnerability can be triggered when the workstation is locked, when no user is logged in, and autorun is disabled making this an un-authenticated elevation of privilege for an attacker with physical access to the machine. Other software may open additional avenues of exploitation that do not require direct physical access to the system.

We recommend the following actions be taken:

  • Apply appropriate patches provided by Microsoft to vulnerable systems immediately after appropriate testing.
  • Educate and remind users not to use any unauthorized, non-provisioned USB hardware.
  • Educate and remind users to report any suspicious activity or individuals. 



The Verge: