US-CERT warns Microsoft Windows autorun off advice is flawed

 

The autorun option is being used by a number of worm attacks to trigger a malware infection. As a result of this, Microsoft has issued an advisory to IT managers and other interested parties on how to turn off the autorun option.
The problem, says US-CERT officials, is that Microsoft's advice on changing the Autorun and NoDriveTypeAutorun registry values is ineffective as setting the Autorun registry value to 0 - as the software giant is recommending - will not prevent newly connected devices from automatically running program code specified in the
Autorun.inf file.
Perhaps worse, Infosecurity notes, the registry changes will disable Media Change Notification messages, which may prevent Windows from detecting when a CD or DVD is changed.
Microsoft says that setting the NoDriveTypeAutorun registry value to 0xFF "disables Autoplay on all types of drives."
US-CERT, however, reports that even with this value set, Windows can execute arbitrary program code when the user clicks the icon for the device in Internet Explorer.
This means that malware authors and hackers can place an Autorun.inf file on a device to automatically execute arbitrary code when the device is connected to a Windows system.
US-CERT also advises that code execution can also take place when the user attempts to browse to the software location with Internet Explorer.

 

What’s Hot on Infosecurity Magazine?