Downadup worm causes confusion over Autorun
The DHS' US-CERT (Computer Emergency Readiness Team) released a security alert yesterday that disabling Autorun in Windows, an action meant to stanch the spread of the Downadup virus, is actually a vulnerability itself.
The Downadup worm has reached epidemic proportions (meaning, I have begun to overhear conversations between elderly women talking about it). But an announcement from US-CERT this week says that one of the remedies to the problem, a registry fix that disables Autorun, is unsound.
"The Autorun and NoDriveTypeAutorun registry values are both ineffective for fully disabling Autorun capabilities on Microsoft Windows systems. Setting the Autorun registry value to 0 will not prevent newly connected devices from automatically running code specified in the Autorun.inf file. It will, however, disable Media Change Notification (MCN) messages, which may prevent Windows from detecting when a CD or DVD is changed. According to Microsoft, setting the NoDriveTypeAutorun registry value to 0xFF 'disables Autoplay on all types of drives.' Even with this value set, Windows may execute arbitrary code when the user clicks the icon for the device in Windows Explorer."
Autorun was introduced with Windows 95 and is relatively self-explanatory, it can either automatically run a file when storage media is mounted, or when its drive icon is clicked. The Security agency has posted its own solution to disable Autorun.
When asked about US-CERT's post, Microsoft's security response communications manager Bill Sisk said, "US Cert has updated their post about Autorun, pointing to Microsoft Knowledge Base (KB) article 953252 that details 'How to correct 'disable Autorun registry key' enforcement in Windows.' This KB article was published in May 2008."
"Microsoft also published guidance on how to mitigate infection attempts using Autorun, which has been a common vector manipulated by the Conficker (a.k.a., Downadup) worm. Information can be found here. Customers who have downloaded MS08-038 and have followed the guidance provided in Microsoft Knowledge Base (KB) article 953252 are protected from this vector of attack."
US-CERT notes that the fix was released via Microsoft Update to Windows Vista and Server 2008 as a part of the MS08-38 security bulletin, but Windows 2000, XP, and Server 2003 must manually install the update.