US-CERT has issued an alert about a flaw in Microsoft’s (NASDAQ: MSFT) guidelines on disabling the auto-run functionality, the feature from hell that causes certain optional code on removable media — or on network drives — to be automatically executed as soon as that drive is mounted as well as under certain other circumstances.
Of course, such behaviour is a great vector for malicious software, which is why every professional Windows administrator or auditor knows and follows Microsoft’s instructions for disabling auto-run. However, those instructions have now been found flawed, which means that a huge number of Windows servers and workstations may be candidates for malware installation. This vulnerability may be one of the reasons behind the aggressive propagation of W32/Conficker.
This is from the US-CERT alert:
The Autorun and NoDriveTypeAutorun registry values are both ineffective for fully disabling AutoRun capabilities on Microsoft Windows systems. Setting the Autorun registry value to 0 will not prevent newly connected devices from automatically running code specified in the Autorun.inf file. It will, however, disable Media Change Notification (MCN) messages, which may prevent Windows from detecting when a CD or DVD is changed. According to Microsoft, setting the NoDriveTypeAutorun registry value to 0xFF “disables Autoplay on all types of drives”. Even with this value set, Windows may execute arbitrary code when the user clicks the icon for the device in Windows Explorer.
The alert also includes instructions for truly (we hope) disabling auto-run.
Do you have a comment on this issue? Please post it!
Post a Comment