Today Microsoft released update MS15-085 to address CVE-2015-1769, an important severity security issue in Mount Manager. It affects both client and server versions, from Windows Vista to Windows 10.
The goal of this blog post is to provide information on the detection guidance to help defenders detect attempts to exploit this issue.
As part of the update, we are also shipping an event log to help defenders detect attempts to use this vulnerability on their systems. The event log will be triggered every time a malicious USB that relies on this vulnerability, is mounted on the system. If such an event is recorded, it means that attempt to exploit the vulnerability is blocked. So once the update is installed, companies auditing event logs will be able to use this as detection mechanism.
These events are logged under “System” channel and is reported as an error.
Note: Multiple events may be raised for single exploit attempt.
After installing the update, exploitation attempts will result in the Event (ID:100) generated with MountMgr or Microsoft-Windows-MountMgr, as its source. The CVE associated with this vulnerability will also be logged for further reference. Note that this error code can also be logged in other extremely rare circumstances. So, while there is a very small chance that this event log could be generated in non-malicious scenarios, there is a high probability that an exploitation attempt is the cause of the event.
- Axel Souchet, Vishal Chauhan from MSRC Vulnerabilities and Mitigations Team