Updated: Microsoft Security Advisory (967940)

Discussion in 'other security issues & news' started by ronjor, Feb 8, 2011.

Thread Status:
Not open for further replies.
  1. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,719
    Location:
    Texas
    Microsoft
     
  2. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,719
    Location:
    Texas
    Deeper insight into the Security Advisory 967940 update
    http://blogs.technet.com/b/msrc/arc...into-the-security-advisory-967940-update.aspx
     
  3. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
    Update to the AutoPlay functionality in Windows

    The MS KB article 971029 MS listed this as an optional update on Windows Update.

    Many have missed this, folks may consider applying this.

    MS have promised to move this update from Optional to Important within a short time.

    The update packages are there for you to choose and install or you may choose to use Windows Update.
     
  4. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
    Re: Update to the AutoPlay functionality in Windows

    Thank for highlighting the update. From security point, I consider it both useful and important
     
  5. wat0114

    wat0114 Guest

    Re: Update to the AutoPlay functionality in Windows

    It looks to apply to Vista, XP, Server '03 & '08.
     
  6. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Does this refer to the U3 type of flash drive?

    thanks,

    rich
     
  7. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
    I think so. Those will not be blocked, I guess, even if their firmware contains something autostart function
     
  8. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Thanks, Cudni.

    I assumed so, therefore, I don't see the purpose of this update, since it doesn't block one of the most successful attack vectors, an infected Flash drive.

    It can't, of course, because (I assume) Windows wouldn't be able to distinguish between a true CD-ROM and CD-ROM emulation, and Microsoft doesn't want to break Autorun with AutoPlay for CD-ROM/DVD-ROM.

    At least that is how it appears to me.

    Am I correct?

    thanks,

    rich
     
  9. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
  10. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
    well if firmware is infected then the supplier has a lot to answer meanwhile other things are blocked
     
  11. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    This is true, but the threat is not from the supplier, but from possible infection later. From an old Hijack forum:

    infections on pendrive
    http://www.computing.net/answers/security/infections-on-pendrive/19560.html
    Every so often Autoplay/Autorun is revisited in the security media. I and a few others were discussing this last week, and we always re-evaluate our own policies/procedures for users, to see if anything needs to be changed.

    Mine have been the same for many years, as the threats have not changed:

    1) Avoid connecting your USB external drives to another computer -- no potential USB virus can infect.

    2) Avoid Flash drives with CD-ROM emulation. Therefore, if you must connect the flash drive to another computer in order to transfer files, it cannot initiate an autorun.inf exploit, should it become infected by a USB virus from the other computer.

    3) If you do permit someone else to connect a CD-ROM, or a Flash drive to your for the purpose of transferring files, autorun can be temporarily supressed by holding down the SHIFT key:

    Enabling and Disabling AutoRun
    http://msdn.microsoft.com/en-us/library/cc144204(v=vs.85).aspx
    (this also applies to USB media)

    Then, open Windows Explorer (not My Computer) to the drive to view the contents.

    4) Have protection in place against unauthorized executables, in case of any mishaps.

    Some years ago, it was suggested that CDs made by another person could be infected. I made a test showing how 4) above would protect in case the user trustingly inserted a CD made by someone else and passed around:

    Code:
    [autorun]
    open=disksetup
    sony.gif

    (BTW - this would have alerted to the potential Sony Rootkit. The user may have decided afterwards to permit the installation of the software, but at least the autorun part would have been thwarted)

    Again, I don't see how this particular update is very comforting, since a potential attack vector remains unsecured.

    ----
    rich
     
  12. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
    The way I understand firmware, although still code, is that it should be much harder to infiltrate in order to subvert. And supplier that allows such kind of hacks would not stay a supplier for long.
     
  13. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    You will have to explain what you mean by infiltrate firmware.

    Anyone can infect a Flash drive by just copying an autorun.inf file + malware executable to the drive. If the drive is CD-ROM emulation, then just connecting it to a computer runs the exploit (unless the user has other protective measures in place.)

    That is how I understood the infections I referenced in the earlier post.

    Am I missing something else?

    thanks,

    rich
     
  14. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
    patch should block autorun.inf, whoever or however it is added, but it will not block whatever custom programs is in the firmware on that usb
     
  15. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    OK, thanks.

    rich
     
  16. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,719
    Location:
    Texas
    https://www.microsoft.com/technet/security/advisory/967940.mspx
     
Loading...
Thread Status:
Not open for further replies.