Updated: Microsoft Security Advisory (967940)

ronjor · Feb 8, 2011

Update for Windows Autorun
Published: February 24, 2009 | Updated: February 08, 2011

Overview

Purpose of Advisory: To provide clarification and notification of the availability of non-security updates to correct the functionality of the NoDriveTypeAutoRun registry key and restrict the AutoPlay functionality on affected systems. These updates affect the software that is listed in the Related Software table below.
Click to expand...

Microsoft

ronjor · Feb 8, 2011

Deeper insight into the Security Advisory 967940 update

Hi! I'm Adam Shostack, a program manager working in TWC Security, and I'd like to talk a bit about today's AutoRun update. Normally, I post over on the SDL blog, but of late I've been doing a lot of work in classifying and quantifying how Windows computers get compromised. One thing that popped from that analysis was the proportion of infected machines with malware that uses Autorun to propagate.

You might note that that's a convoluted sentence, and I apologize. Why can't I just say "infected because of AutoRun?" Well, because we don't actually know that. Due to the nature of the problem, it's probably not possible to acquire great data on the number of attacks that succeed by misusing Autorun. What we know, and talked about in volume 9 of our Security Intelligence Report last fall, is that a lot of malware uses Autorun as one of several propagation mechanisms. Because of the very real positive uses of Autorun, we didn't want to simply shut it off without a conversation. On the other hand, we believed action should be taken to shut down the misuse.
Click to expand...

http://blogs.technet.com/b/msrc/arc...into-the-security-advisory-967940-update.aspx

siljaline · Feb 13, 2011

Update to the AutoPlay functionality in Windows

The MS KB article 971029 MS listed this as an optional update on Windows Update.

Many have missed this, folks may consider applying this.

MS have promised to move this update from Optional to Important within a short time.

The update packages are there for you to choose and install or you may choose to use Windows Update.

Cudni · Feb 13, 2011

Re: Update to the AutoPlay functionality in Windows

Thank for highlighting the update. From security point, I consider it both useful and important

wat0114 · Feb 13, 2011

Re: Update to the AutoPlay functionality in Windows

It looks to apply to Vista, XP, Server '03 & '08.

Rmus · Feb 13, 2011

Some USB flash drives have firmware that present these USB flash drives as CD drives when you insert them into computers. These USB flash drives are not affected by this update
Click to expand...

Does this refer to the U3 type of flash drive?

thanks,

rich

Cudni · Feb 13, 2011

Rmus said:

Does this refer to the U3 type of flash drive?

thanks,

rich
Click to expand...

I think so. Those will not be blocked, I guess, even if their firmware contains something autostart function

Rmus · Feb 13, 2011

Thanks, Cudni.

I assumed so, therefore, I don't see the purpose of this update, since it doesn't block one of the most successful attack vectors, an infected Flash drive.

It can't, of course, because (I assume) Windows wouldn't be able to distinguish between a true CD-ROM and CD-ROM emulation, and Microsoft doesn't want to break Autorun with AutoPlay for CD-ROM/DVD-ROM.

At least that is how it appears to me.

Am I correct?

thanks,

rich

siljaline · Feb 13, 2011

Those replying to my merged post with Ron's will get an invalid link
https://www.wilderssecurity.com/showthread.php?t=292961&goto=newpost

Cudni · Feb 13, 2011

well if firmware is infected then the supplier has a lot to answer meanwhile other things are blocked

Rmus · Feb 13, 2011

This is true, but the threat is not from the supplier, but from possible infection later. From an old Hijack forum:

infections on pendrive
http://www.computing.net/answers/security/infections-on-pendrive/19560.html

I found that there are some strange folders and files in my pendrives.

F:\ms.config\
F:\rm\
F:\AUTORUN.INF
F:\infrom.exe

........

I have suffered same problem after using pen-drive in hotel business centre.
Click to expand...

Every so often Autoplay/Autorun is revisited in the security media. I and a few others were discussing this last week, and we always re-evaluate our own policies/procedures for users, to see if anything needs to be changed.

Mine have been the same for many years, as the threats have not changed:

1) Avoid connecting your USB external drives to another computer -- no potential USB virus can infect.

2) Avoid Flash drives with CD-ROM emulation. Therefore, if you must connect the flash drive to another computer in order to transfer files, it cannot initiate an autorun.inf exploit, should it become infected by a USB virus from the other computer.

3) If you do permit someone else to connect a CD-ROM, or a Flash drive to your for the purpose of transferring files, autorun can be temporarily supressed by holding down the SHIFT key:

Enabling and Disabling AutoRun
http://msdn.microsoft.com/en-us/library/cc144204(v=vs.85).aspx

Users can manually suppress AutoRun by holding down the SHIFT key when they insert the CD-ROM.
Click to expand...

(this also applies to USB media)

Then, open Windows Explorer (not My Computer) to the drive to view the contents.

4) Have protection in place against unauthorized executables, in case of any mishaps.

Some years ago, it was suggested that CDs made by another person could be infected. I made a test showing how 4) above would protect in case the user trustingly inserted a CD made by someone else and passed around:
Code:
[autorun]
open=disksetup
(BTW - this would have alerted to the potential Sony Rootkit. The user may have decided afterwards to permit the installation of the software, but at least the autorun part would have been thwarted)

Again, I don't see how this particular update is very comforting, since a potential attack vector remains unsecured.

----
rich

Cudni · Feb 13, 2011

The way I understand firmware, although still code, is that it should be much harder to infiltrate in order to subvert. And supplier that allows such kind of hacks would not stay a supplier for long.

Rmus · Feb 13, 2011

You will have to explain what you mean by infiltrate firmware.

Anyone can infect a Flash drive by just copying an autorun.inf file + malware executable to the drive. If the drive is CD-ROM emulation, then just connecting it to a computer runs the exploit (unless the user has other protective measures in place.)

That is how I understood the infections I referenced in the earlier post.

Am I missing something else?

thanks,

rich

Cudni · Feb 13, 2011

patch should block autorun.inf, whoever or however it is added, but it will not block whatever custom programs is in the firmware on that usb

Rmus · Feb 13, 2011

OK, thanks.

rich

ronjor · Feb 22, 2011

Microsoft Security Advisory (967940)

Published: February 24, 2009 | Updated: February 22, 2011

Version: 2.1

Microsoft is announcing the availability of updates to the Autorun feature that help to restrict AutoPlay functionality to only CD and DVD media on supported editions of Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. Restricting AutoPlay functionality to only CD and DVD media can help protect customers from attack vectors that involve the execution of arbitrary code by Autorun when inserting a USB flash drive, network shares, or other non-CD and non-DVD media containing a file system with an Autorun.inf file.
Click to expand...

https://www.microsoft.com/technet/security/advisory/967940.mspx

Log in or Sign up

Updated: Microsoft Security Advisory (967940)

ronjor Global Moderator

ronjor Global Moderator

siljaline Registered Member

Cudni Global Moderator

wat0114 Guest

Rmus Exploit Analyst

Cudni Global Moderator

Rmus Exploit Analyst

siljaline Registered Member

Cudni Global Moderator

Rmus Exploit Analyst

Cudni Global Moderator

Rmus Exploit Analyst

Cudni Global Moderator

Rmus Exploit Analyst

ronjor Global Moderator

Log in or Sign up

Updated: Microsoft Security Advisory (967940)

ronjor Global Moderator

ronjor Global Moderator

siljaline Registered Member

Cudni Global Moderator

wat0114 Guest

Rmus Exploit Analyst

Cudni Global Moderator

Rmus Exploit Analyst

siljaline Registered Member

Cudni Global Moderator

Rmus Exploit Analyst

Cudni Global Moderator

Rmus Exploit Analyst

Cudni Global Moderator

Rmus Exploit Analyst

ronjor Global Moderator

Useful Searches