US-Cert says Microsoft got fix wrong

Dissabling AutoRun not effective.

Comment IconFacebook IconX IconReddit Icon
TweakTown
Published
Updated
1 minute read time
Microsoft may be misleading users as to an effective method for dealing with the W32.Downadup worm that is spreading quickly around the web.

In a KB article MS explains that simply disabling AutoRun is an effective solution; US-CERT disagrees and says that this is an ineffective workaround.

AutoRun and AutoPlay are functions within Windows that allows newly attached drives and other media to play without user intervention.
This is usually down to an Autorun.inf which contains information on what to do when the disk or drive is accessed.
For example (taken from an Office 2003 CD-ROM)
[autorun]
OPEN=SETUP.EXE /AUTORUN
ICON=SETUP.EXE,1

shell\configure=&Configure...
shell\configure\command=SETUP.EXE

shell\install=&Install...
shell\install\command=SETUP.EXE

The code tells the computer to run certain applications when inserted or when accessed through double clicking.

Cert has a method to properly disable AutoRun but users are still cautioned to have good malware protection.

Read more here.

US-Cert says Microsoft got fix wrong

The Autorun and NoDriveTypeAutorun registry values are both ineffective for fully disabling AutoRun capabilities on Microsoft Windows systems. Setting the Autorun registry value to 0 will not prevent newly connected devices from automatically running code specified in the Autorun.inf file. It will, however, disable Media Change Notification (MCN) messages, which may prevent Windows from detecting when a CD or DVD is changed. According to Microsoft, setting the NoDriveTypeAutorun registry value to 0xFF "disables Autoplay on all types of drives." Even with this value set, Windows may execute arbitrary code when the user clicks the icon for the device in Windows Explorer.

Related Topics

Newsletter Subscription