在你最新的、安全的作業系統上使用你自己的受信任的USB驅動器是一回事，但是如果你最好的朋友帶著他們的USB驅動器過來，想讓你把一些檔案複製到其中呢？你朋友的隨身碟會給你安全的系統帶來任何風險嗎，還是隻是毫無根據的恐懼？

今天的問答環節是由SuperUser提供的，SuperUser是Stack Exchange的一個分支，是一個由社群驅動的問答網站分組。

圖片由Wikimedia Comm***提供。

問題

超級使用者讀者E M想知道不受信任的USB驅動器可能有哪些危險：

Suppose someone wants me to copy some files to their USB drive. I’m running fully-patched Windows 7 x64 with AutoRun disabled (via Group Policy). I insert the USB drive, open it in Windows Explorer, and copy some files to it. I do not run or view any of the existing files. What bad things could happen if I do this?

What about if I do this in Linux (say, Ubuntu)? Please note that I’m looking for details of specific risks (if any), not “it would be safer if you don’t do this”.

如果你有一個系統是最新的，安全性很好，有沒有任何風險，從一個不受信任的USB驅動器，如果你只**和複製檔案到它，但什麼都不做？

答案

超級使用者貢獻者sylvainulg、steve和Zan Lynx為我們提供了答案。首先，sylvainulg：

Less impressively, your GUI file browser will typically explore files to create thumbnails. Any pdf-based, ttf-based, (insert Turing-capable file type here)-based exploit that works on your system could potentially be launched passively by dropping the file and waiting for it to be scanned by the thumbnail renderer. Most of the exploits I know about are for Windows though, but do not underestimate the updates for libjpeg.

接著是史蒂夫：

There are several security packages that allow me to set up an AutoRun script for either Linux OR Windows, automatically executing my malware as soon as you plug it in. It is best not to plug in devices that you do not trust!

Bear in mind, I can attach malicious software to pretty much any sort of executable that I want, and for pretty much any OS. With AutoRun disabled you SHOULD be safe, but AGAIN, I don’t trust devices that I am even the slightest bit skeptical about.

For an example of what can do this, check out The Social-Engineer Toolkit (SET).

The ONLY way to truly be safe is to boot up a live Linux distribution with your hard drive unplugged, mount the USB drive, and take a look. Other than that, you’re rolling the dice.

As suggested by others, it is a must that you disable networking. It doesn’t help if your hard drive is safe and your whole network gets compromised.

我們最後的答案來自山貓：

Another danger is that Linux will try to mount anything (joke suppressed here).

Some of the file system drivers are not bug free. Which means that a hacker could potentially find a bug in, say, squashfs, minix, befs, cramfs, or udf. Then the hacker could create a file system that exploits the bug to take over a Linux kernel and put that on a USB drive.

This could theoretically happen to Windows as well. A bug in the FAT, NTFS, CDFS, or UDF driver could open up Windows to a takeover.

從上面的答案可以看出，系統的安全性始終存在風險，但這將取決於誰（或什麼人）訪問了有問題的USB驅動器。

有什麼要補充的解釋嗎？在評論中發出聲音。想從其他精通技術的Stack Exchange使用者那裡瞭解更多答案嗎？在這裡檢視完整的討論主題。