Windows

US-CERT drives Microsoft to fix Windows AutoRun problems

AutoRun is a feature Microsoft includes in Windows as an enhancement to the user experience, but it is hardly perfect. Parties both shady and outright malicious have subverted AutoRun to execute code without input from the user. To make matters worse, US-CERT recently found that the instructions MS had published for disabling AutoRun were ineffective.

AutoRun is a feature Microsoft includes in Windows as an enhancement to the user experience, but it is hardly perfect. Parties both shady and outright malicious have subverted AutoRun to execute code without input from the user. To make matters worse, US-CERT recently found that the instructions MS had published for disabling AutoRun were ineffective.

---------------------------------------------------------------------------------------------------------------

I've written about the Windows AutoRun feature before and also about the U3-enabled flash drive, a product that takes advantage of AutoRun. Microsoft includes AutoRun to make life easier for users. People appreciate that their computer will open volumes and play CDs automatically when they are inserted. Unfortunately, since AutoRun can be directed to execute any code included on a disk, it has developed into a significant security risk as well.

Microsoft eventually published instructions for disabling AutoRun on its Windows Technet support site. It was the only responsible thing to do after malicious code started to appear that exploited the feature. Unfortunately, as US-CERT announced on Tuesday, Microsoft's instructions were wrong.

I've mentioned US-CERT before as well. Department of Homeland Security's cyber watchdog unit found that the registry changes that Microsoft recommended (and that I reprinted in my post) didn't work as advertised. Our friends in Redmond have responded to US-CERT's findings and released new instructions for anyone who wants to make sure AutoRun is disabled. You can choose to follow Microsoft's fix or use CERT's homegrown registry edit to solve the problem. Be aware though, while Vista and Server 2008 users will have Microsoft's patch applied as part of their regular security updates, users of Windows 2000, XP, and Server 2003 will have to apply a fix manually.

I feel like the issues around AutoRun sum up the trade-offs that support pros have to make every day. As the "face" of the IT department, we're caught between facilitating the user experience and implementing the business's need for security and stability. If AutoRun is a liability on your network, at least now you can be sure it is finally disabled.

40 comments
braunmax
braunmax

I turned off autorun/play in Win2k using the tweakui tool from M$. I thought that worked. In WinXP however the double-click/run feature did not stop functioning after the fixing with tweakui provided for WinXP. To cope, I never "open" or double-click a drive, I "Explore" it. If I find an autorun.inf on a usb device I immediately "open with" it with Notepad, and check what it contains. Invariably it has been a worm. Worst of all? of the worms that I have been presented with (mainly on usb devices of students but also from fellow faculty) I have found that all had come from McAfee or Norton antivirus "protected" systems - even when kept up to date!. The free AVG [both 7.5 and 8] warned me on every occasion before allowing autorun.inf to load in the typical "copy.exe" (and many other) worm files.

DHCDBD
DHCDBD

On one XP box I applied the Cert work around. After reboot, it worked. On another XP box I applied the kb fix from M$. After installing the M$ fix, I edited the appropriate reg entry to 0xFF and then rebooted. After boot I inserted a U3 drive. The U3 player auto started.I went back to the registry, deleted the MountPoints2 entry. Rebooted again, reinserted the flash drive. This time it did not auto start. Based on the above, the MS fix is not complete.

JCitizen
JCitizen

Anything that concerns bumbfoolery from Microsoft, just doesn't surprise me anymore. Sorry for the negativity; thanks for your input. I would have hesitated using such an edit, it's good to hear that it works.

seanferd
seanferd

Mmmmm... good input. Seriously.

seanferd
seanferd

Yeah. Good articles, lousy forum denizens. Those thoughtful commenters are drowned in a deluge of utter dreck. Anyhow, I just didn't catch on if you were getting snippy.

Neon Samurai
Neon Samurai

.. let alone wasted moments of my eyesight on the forums. I do have to thank them though, CNet forums and overuse of Flash was a key motivation in getting me to start reading TR.

JCitizen
JCitizen

You should know I always value your input, I just tend to get snippy on certain subjects, but I never mean to get snippy with people. Except at the ZDNet horse and jackass show. Over there I lose my temper sometimes. Shame on me!

seanferd
seanferd

Not sure what you are apologizing for. If it is for your comments re MS, I think they are acceptable. anyone charging good money for software should have their act together, and sometimes, MS just doesn't. They have had plenty of time and examples to learn from. Of course, I do have a bias, but it is from experience, and it is not a "religious" thing with me. Sometimes, people do get frustrated, and you certainly weren't over-the-top. edit: fixed emoticon

JCitizen
JCitizen

With my bad attitude on things like this, I don't know whether to put tongue in cheek or bite my lip! =) I appologize for this.

Chug
Chug

I find AutoRun useful and would not like to disable it. I see this as a user training issue. Why are users putting discs for flash drives that they don't know what's on them in the first place? I see it no different than a user getting infected from opening an e-mail attachment they had no business opening.

a.barry
a.barry

I think the people who write OS's could do with a little training. CD's DVD's and flash drives should be treated with the same "10 foot pole" approach that content on the Web is treated with. One shouldn't have to "explore" vs "open" flash drives.

acsmith
acsmith

Get real. A user gets a needed file for another users computer. What he want's is on the flashdrive/CD but the malware doesn't show in the files listing, no surprise here. Then he places the drive/CD a networked corporate machine and because IT Support has misconfigured the A/V or maybe because the A/V software doesn't even recognize the malware yet the corporate machine is infected. I'm inclined not to blame the user in this case.

Neon Samurai
Neon Samurai

For those with an ActiveDirectory behind the workstations, can autorun be disabled by group policy?

roger.reading
roger.reading

The Vista system is up to date on patches and I still cannot find the GPedit.msc as per the instructions. Are the instructions pointed to in the article correct? Regards

Neon Samurai
Neon Samurai

We're sticking with XP at work so I was more curious about if autorun could be disabled through user policy directly through the Active Directory. That way the office machines are all protected at the user's next login when the ActiveDirectory policy loads. Odd that Vista's policy editor would be so hard to locate though.

seanferd
seanferd

I've checked with MS, and on Vista Home machines.

Neon Samurai
Neon Samurai

I don't have a Vista machine handy to test it out though but I'm hearing that gedit.msc is not handy on Vista machines. In my own case, that means adjusting each individual machine where I want to just place an Active Domain rule and have all subordinate machines pick up the change across the company.

Neon Samurai
Neon Samurai

The originally had a Linux based firmware and the Windows Home Server versions. The Linux based version had two drive bays while the Windows one continues on with four; WTF is that? If one where to purchase the Windows version for the four bays, could one fix the vendor's mistake and replace Home Server? I guess really, it's just an overhyped NAS box since it does pretty much the exact same as every other four bay hot swap NAS box on the market (freedom9, visionvault...) Sadly, the Freedom9 suffers from some of the same crippling design decisions. It has five or so ports open and listening by default with no way to configure what protocols/services are available. At least it includes NFS along with Samba and ftp. The RAID5 plus a spare drive configuration is a killer feature though. At least one can use a router rule to block the IP/MAC from accessing the WAN feed. (edit): I keep saying "visionvault" when meaning the "smartvault" from Visionman. For me, it's between the visionvault and freedom9 if room opens up in the budget.

JCitizen
JCitizen

as that would be accurate, but I've been pressuring HP to comeup with an Ultimate version that has it all. I don't like anything that can't be locked down policy wise, even inside my home LAN. It may be that it is beyond both their's and Microsoft's control as it was designed with hollywood DRM in mind. I imagine Redmond and the OEMs have been toting that bale when it comes to allowing a BD burner and a cable card in the same OEM build.

blackepyon01
blackepyon01

in Start>Run: gpedit.msc should get to it.

Neon Samurai
Neon Samurai

At home, those licenses don't allow functions I'd need. At work, those licenses won't allow properly management by domain policy. They're of no use to me in either setting. Sadly, there are a lot of those licenses out there and many of them in homes where the owner isn't going to be doing manual labor to close that vulnerability.

JCitizen
JCitizen

or AD or scripting would probably provide the tools. Of course, I haven't used it for four years and have forgotten half of what little I knew about AD administration. But try as I might I've found very few features on the particular Home Premium version that I have.

seanferd
seanferd

And it is also possible that administrative tools just weren't installed, but are available to be installed from disc, options folder, or installation partition.

Neon Samurai
Neon Samurai

Are they F'ing kidding? What was the excuse MS gave for not being able to patch the function in pre-Vista versions? 2K I can understand to some degree but XP is still getting active patches on a regular basis. Unacceptable.

Chug
Chug

(see my other post about this being a user training issue) Because a lot of users (me one of them) LIKE the functionality and DON'T want it disabled, or would think their system broke when it was disabled if they weren't aware of the patch and the reason for it. In a closed IT environment then the IT people can decide to deploy it to everyone in their organization. But MS could tick off a LOT of normal home users (I would be one of them) by deploying it to everyone.

Neon Samurai
Neon Samurai

I don't mean removing the autorun function completely. My initial issue was that they are going to release a Vista patch which fixes it but for anything older including XP, you have to manually download the patch (not on windows update) then manually hack the registry to fix the issue. That's what I think is most outragious. Since you braught it up though; maybe MS needs to rewrite the autorun function with some security considerations so that it still saves users the all of one click it takes to start your music cd playing while not being exploitable by in such an easy way.

seanferd
seanferd

It just fixes the problem with autorun not being entirely disabled when one chooses to disable it.

CAH
CAH

The linked page at technet states: "Article ID: 953252 - Last Review: September 11, 2008 - Revision: 3.0" Is their review date wrong or is the link pointing to a bad page?

boxfiddler
boxfiddler

that MS can't fix its own product. Add just a little disconcerting.

cwsumner@compuserve.com
cwsumner@compuserve.com

This is the same Microsoft that, in the 1970's, sold MS Basic software bundled with a (required)add-on S-100 4Kb dynamic memory board, that never worked. For anyone! On any type of computer! And they never fixed them. And even after they knew they were bad, they still required it to be sold with the software. So to get the software, you had to pay for a known-bad board. Some things they have done well, but honesty is not part of it. 8-/

JackOfAllTech
JackOfAllTech

You can use any of the myriad TweakUI varieties out there such as SafeXP to disable it also.

Merlin the Wiz
Merlin the Wiz

and go back to using dumb terminals and big iron at work and leave the personal computers to home. Then our work systems security problems will be much smaller. Most IT professionals will be happy, because they will not have to think about users that want to learn how to use that bleeping computer more efficiently. And they will be back in control. Well, as usual this does not get placed where I tried to put it. sorry Jack

Neon Samurai
Neon Samurai

it'll get placed in the root like the other comments rather than as a response to the first comment. ------------ separately: My take would have been more along the lines of "let's motivate Microsoft to put some effort into quality control rather than doing such a good job of marketing a half baked product."

seanferd
seanferd

At least with Win7, they are trying out public beta-testing (that is, before RTM :) ). Patch-wise, every support/IT unit will need to test for itself. There are some things that can't be tested under every condition, and patches are far more likely to break something on a system that is compromised or poorly configured already. Your question does have a lot of merit, though.

fof9l
fof9l

If I ever release a fix to a client, I make darned sure it works as it should before I send it to them, rather than have them find out afterwards. Not only does it protect my reputation, it's so much cheaper to do it right first time!

Editor's Picks