Microsoft's latest Patch Tuesday round of security updates includes a fix for a vulnerability that could allow attackers to compromise PCs using a USB key. The attack requires physical access to a PC, but allows malicious users to simply insert a USB key and make the system execute malicious code at the Windows kernel level. Microsoft is rating the vulnerability as important, not the highest rating of critical, suggesting that the company doesn't view it as a serious threat despite its obvious implications.
The ability to compromise machines by USB is particularly troublesome for big businesses and enterprises running thousands of Windows machines. As compromises move away from the traditional software-based exploits towards physical access and social engineering, there are greater challenges to securing data. Hackers have been known to use janitorial staff to access machines at businesses and install USB-based keyloggers and USB keys, so Microsoft's patch is clearly aimed at plugging some of those vulnerabilities.
Microsoft admits the flaw could "open additional avenues of exploitation that do not require direct physical access to the system," once the USB-based exploit is successful. Still, if a hacker has physical access to your machine then there's little you can do to protect a machine and its data fully, and these type of exploits demonstrate the challenge of security that reaches beyond software.