Gynvael Coldwind Security Researcher has discovered a USB Vulnerability that results in Local Privilege escalation on Windows 7. For this security flaw another researcher Mateusz “j00ru” Jurczyk has developed an exploit.
The security gap need for attacker to create physical access to the machine and have a local user in the system.
Accordingly, the only assumption in which it may be a problem security-wise is a local computer shared between multiple users with limited favor and thus has been rated as low-severity (e.g. schools, universities, hostels).
Researched sent an notification about the vulnerability to MSRC, they claimed to have passed the information to the windows team for potential fixing as a steady issue somewhere in the future.
Windows 7 USB stick local+physical attack demo:
The Technical details about the vulnerability can be found here: