On The Insider: Britney's Bikini-Clad Top 10
BNET Business Network:
BNET
TechRepublic
ZDNet

January 21st, 2009

US-CERT warning: Windows does not disable AutoRun properly

Posted by Ryan Naraine @ 9:43 am

Categories: Anti Virus, Arbitrary Code Execution, Browsers, Complex Attacks, Data theft, Denial of Service (DoS), Exploit code, Hackers, Malware, Microsoft, Pen testing, Research, Responsible disclosure, Spam and Phishing, Spyware and Adware, Viruses and Worms, Vulnerability research

Tags: Microsoft Corp., Registry Value, Microsoft Windows, Operating Systems, Software, Ryan Naraine

US-CERT: Windows does not disable AutoRun properly

The U.S. Computer Emergency Readiness Team (US-CERT) has issued a technical cyber-security alert to warn that Microsoft’s guidelines for disabling AutoRun in the Windows operating system “are not fully effective” and argues that this “could be considered a vulnerability.”

The U.S. CERT warning comes on the heels of live malware/worm attacks that take advantage of the Windows AutoRun and AutoPlay features to improve propagation.

[ SEE:  Is there no end to the AutoRun madness? ]

Here’s the skinny on Microsoft’s hiccup:

  • The Autorun and NoDriveTypeAutorun registry values are both ineffective for fully disabling AutoRun capabilities on Microsoft Windows systems. Setting the Autorun registry value to 0 will not prevent newly connected devices from automatically running code specified in the Autorun.inf file. It will, however, disable Media Change Notification (MCN) messages, which may prevent Windows from detecting when a CD or DVD is changed. According to Microsoft, setting the NoDriveTypeAutorun registry value to 0xFF “disables Autoplay on all types of drives.” Even with this value set, Windows may execute arbitrary code when the user clicks the icon for the device in Windows Explorer.

This means that malware authors can place an Autorun.inf file on a device to automatically execute arbitrary code when the device is connected to a Windows system. Code execution may also take place when the user attempts to browse to the software location with Windows Explorer, US-CERT warned.

The alert includes instructions for editing the registry to properly disable AutoRun in Microsoft Windows.

UPDATE: Microsoft sent me an e-mail to point out that its KB953252 document, published in May 2008, describes how to correct the problem of NoDriveTypeAutoRun registry value enforcement.  This prompted an update on the US-CERT notice:

After the update is installed, Windows will obey the NoDriveTypeAutorun registry value. Note that this fix has been released via Microsoft Update to Windows Vista and Server 2008 systems as part of the MS08-038 Security Bulletin. Windows 2000, XP, and Server 2003 users must install the update manually. Our testing has shown that installing this update and setting the NoDriveTypeAutoRun registry value to 0xFF will disable AutoRun.

Ryan NaraineRyan Naraine is a journalist and security evangelist at Kaspersky Lab. He manages Threatpost.com, a security news portal. Here is Ryan's full profile and disclosure of his industry affiliations.


Email Ryan Naraine

For daily updates on Ryan's activities, follow him on Twitter.

Subscribe to Zero Day via Email alerts or RSS.

  • Talkback
  • Most Recent of 59 Talkback(s)
RE: US-CERT warning: Windows does not disable AutoRun properly
I dont run any windows operating system without sandbox technology. I dont allow applications to run willy nilly without my authorization. Security is something you learn, not something you can buy.... (Read the rest)
Posted by: Scott Larson Posted on: 01/25/09 You are currently: a Guest | | Terms of Use
Why, why, why?  kd5auq | 01/21/09
What do you mean?  Lerianis | 01/21/09
Actually there's a very simple solution...  PollyProteus | 01/21/09
Re; Actually there's a very simple solution...  Me_too | 01/22/09
Please clarify one sentence from your blog  NonZealot | 01/21/09
XP may be superseded  Alan Smithie | 01/21/09
You don't think it is relevant to mention the affected OS?  NonZealot | 01/21/09
This affects all versions of Windows...  msalzberg | 01/21/09
"modified more than 2 years ago"  davidr69 | 01/21/09
Let me see if I understand this  NonZealot | 01/21/09
The obvious must be explained  davidr69 | 01/21/09
So let me explain the obvious!  NonZealot | 01/21/09
Yeah, but...  MGP2 | 01/21/09
that's what  rtk | 01/21/09
Phew, just seen update  Alan Smithie | 01/21/09
Still waiting for someone, anyone, to show how this is true in Vista  NonZealot | 01/21/09
RE: ... waiting ...  n0neXn0ne | 01/21/09
Even so  Michael Kelly | 01/21/09
There's still a problem  TristanGrimaux | 01/21/09
I've already stated that  NonZealot | 01/21/09
Yeah right! Your system wants to pass gas! Would you like to continue?  ja4509 | 01/21/09
Time for an analogy!!  NonZealot | 01/21/09
You know you are right!  ja4509 | 01/21/09
I know exactly what you mean  NonZealot | 01/21/09
and you can press ESC to get around the login  deaf_e_kate | 01/22/09
The user interaction isn't in the form one would be suspicious of, however  D. W. Bierbaum | 01/22/09
What's the Registry?  kozmcrae | 01/21/09
Here you go:  Grayson Peddie | 01/21/09
Heh! It should be easier to disable this than it is.  D. W. Bierbaum | 01/22/09
RE: US-CERT warning: Windows does not disable AutoRun properly  rparker009 | 01/21/09
The "Do Nothing" option not doing nothing, is the problem...  D. W. Bierbaum | 01/22/09
RE: US-CERT warning: Windows does not disable AutoRun properly  khariskh | 01/21/09
Thanks, Interesting link.  joe.smetona@... | 01/21/09
Serious Business . . .  brian ansorge | 01/21/09
RE: US-CERT warning: Windows does not disable AutoRun properly  Sunday Ironfoot | 01/21/09
Whoops  Sunday Ironfoot | 01/21/09
And executable still can't infect patched machines  NonZealot | 01/21/09
It presents a FALSE "Open folder" option that runs the file.  hkommedal | 01/22/09
RE: US-CERT warning: Windows does not disable AutoRun properly  h_rorarius@... | 01/21/09
Isn't Microsofts fault, really....  bruceslog | 01/21/09
RE: Isn't Microsofts fault, really....  trybble1 | 01/21/09
Think it is great  gogalthorp | 01/21/09
Theres only one persons fault  HexHammer67 | 01/22/09
Autoinstalling via Autorun is not really social engineering  deaf_e_kate | 01/22/09
It IS Microsofts fault this time.  hkommedal | 01/22/09
You've hit the problem  jumpa | 01/22/09
I've been saying this for many years  HexHammer67 | 01/22/09
I remember shop classes saying this very thing about calculators!  D. W. Bierbaum | 01/22/09
Naive thinking, very Windows like.....  deaf_e_kate | 01/22/09
RE: US-CERT warning: Windows does not disable AutoRun properly  wirecutter | 01/22/09
RE: US-CERT warning: Windows does not disable AutoRun properly  ceh4702 | 01/22/09
Slide rulers  Samun56 | 01/22/09
RE: US-CERT warning: Windows does not disable AutoRun properly  WireWrap | 01/22/09
So you are happy  HexHammer67 | 01/22/09
Changes Nothing  gbentley@... | 01/22/09
yet another reason to use Vista  qmlscycrajg | 01/22/09
RE: US-CERT warning: Windows does not disable AutoRun properly  bucks13 | 01/23/09
RE: US-CERT warning: Windows does not disable AutoRun properly  Jahm Mittt | 01/23/09
RE: US-CERT warning: Windows does not disable AutoRun properly  Scott Larson | 01/25/09

What do you think?

SponsoredWhite Papers, Webcasts, and Downloads

advertisement

Recent Entries

advertisement

Archives

Favorite Links

ZDNet Blogs

White Papers, Webcasts, and Downloads