SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (Generic)  >   Autorun Vendors:   Microsoft
Microsoft Windows Guidelines for Disabling AutoRun are Ineffective and May Permit Code Execution
SecurityTracker Alert ID:  1021629
SecurityTracker URL:  http://securitytracker.com/id/1021629
CVE Reference:   CVE-2009-0243   (Links to External Site)
Updated:  Jan 29 2009
Original Entry Date:  Jan 22 2009
Impact:   Execution of arbitrary code via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  

Description:   A vulnerability was reported in Microsoft Windows AutoRun. The vendor's guidelines for disabling the AutoRun feature do not disable automatic code execution.

Contrary to guidelines provided by the vendor, setting the Autorun registry value to 0 does not fully prevent newly connected devices from automatically running code specified by the 'Autorun.inf' file. In addition, setting the NoDriveTypeAutorun registry value to 0xFF does not fully prevent the system from automatically running code specified by the 'Autorun.inf' file when the target user browses the connected device.

The original advisory is available at:

http://www.us-cert.gov/cas/techalerts/TA09-020A.html

Impact:   Code on a connected device may be executed.
Solution:   The US-CERT advisory provides instructions on how to properly disable the AutoRun feature.

The US-CERT advisory is available at:

http://www.us-cert.gov/cas/techalerts/TA09-020A.html

Vendor URL:  www.microsoft.com/ (Links to External Site)
Cause:   Configuration error
Underlying OS:   Windows (Any)

Message History:   None.


 Source Message Contents

Date:  Tue, 20 Jan 2009 23:42:34 -0500
Subject:  US-CERT Technical Cyber Security Alert TA09-020A -- Microsoft Windows Does Not Disable AutoRun Properly


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


                    National Cyber Alert System

              Technical Cyber Security Alert TA09-020A


Microsoft Windows Does Not Disable AutoRun Properly

   Original release date: January 20, 2009
   Last revised: --
   Source: US-CERT


Systems Affected

     * Microsoft Windows


Overview

   Disabling AutoRun on Microsoft Windows systems can help prevent the
   spread of malicious code. However, Microsoft's guidelines for
   disabling AutoRun are not fully effective, which could be
   considered a vulnerability.


I. Description

   Microsoft Windows includes an AutoRun feature, which can
   automatically run code when removable devices are connected to the
   computer. AutoRun (and the closely related AutoPlay) can
   unexpectedly cause arbitrary code execution in the following
   situations:
   
   * A removable device is connected to a computer. This includes, but
   is not limited to, inserting a CD or DVD, connecting a USB or
   Firewire device, or mapping a network drive. This connection can
   result in code execution without any additional user interaction.
   
   * A user clicks the drive icon for a removable device in Windows
   Explorer. Rather than exploring the drive's contents, this action
   can cause code execution.

   * The user selects an option from the AutoPlay dialog that is
   displayed when a removable device is connected.  Malicious
   software, such as W32.Downadup, is using AutoRun to
   spread. Disabling AutoRun, as specified in the CERT/CC
   Vulnerability Analysis blog, is an effective way of helping to
   prevent the spread of malicious code.
   
   The Autorun and NoDriveTypeAutorun registry values are both
   ineffective for fully disabling AutoRun capabilities on Microsoft
   Windows systems. Setting the Autorun registry value to 0 will not
   prevent newly connected devices from automatically running code
   specified in the Autorun.inf file. It will, however, disable Media
   Change Notification (MCN) messages, which may prevent Windows from
   detecting when a CD or DVD is changed. According to Microsoft,
   setting the NoDriveTypeAutorun registry value to 0xFF "disables
   Autoplay on all types of drives." Even with this value set, Windows
   may execute arbitrary code when the user clicks the icon for the
   device in Windows Explorer.


II. Impact

   By placing an Autorun.inf file on a device, an attacker may be able
   to automatically execute arbitrary code when the device is
   connected to a Windows system. Code execution may also take place
   when the user attempts to browse to the software location with
   Windows Explorer.


III. Solution

   Disable AutoRun in Microsoft Windows
   
   To effectively disable AutoRun in Microsoft Windows, import the
   following registry value:
   
   REGEDIT4   
   [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
   @="@SYS:DoesNotExist"
   
   To import this value, perform the following steps:
   
   * Copy the text
   * Paste the text into Windows Notepad
   * Save the file as autorun.reg
   * Navigate to the file location
   * Double-click the file to import it into the Windows registry

   Microsoft Windows can also cache the AutoRun information from
   mounted devices in the MountPoints2 registry key. We recommend
   restarting Windows after making the registry change so that any
   cached mount points are reinitialized in a way that ignores the
   Autorun.inf file. Alternatively, the following registry key may be
   deleted:
   
   HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
   
   Once these changes have been made, all of the AutoRun code
   execution scenarios described above will be mitigated because
   Windows will no longer parse Autorun.inf files to determine which
   actions to take. Further details are available in the
   CERT/CC Vulnerability Analysis blog. Thanks to Nick Brown and Emin
   Atac for providing the workaround.


IV. References

 * The Dangers of Windows AutoRun -
   <http://www.cert.org/blogs/vuls/2008/04/the_dangers_of_windows_autorun.html>

 * US-CERT Vulnerability Note VU#889747 -
   <http://www.kb.cert.org/vuls/id/889747>

 * Nick Brown's blog: Memory stick worms -
   <http://nick.brown.free.fr/blog/2007/10/memory-stick-worms>

 * TR08-004 Disabling Autorun -
   <http://www.publicsafety.gc.ca/prg/em/ccirc/2008/tr08-004-eng.aspx>

 * How to Enable or Disable Automatically Running CD-ROMs -
   <http://support.microsoft.com/kb/155217>

 * NoDriveTypeAutoRun -
   <http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/regentry/91525.mspx>

 * Autorun.inf Entries -
   <http://msdn.microsoft.com/en-us/library/bb776823(VS.85).aspx>

 * W32.Downadup -
   <http://www.symantec.com/security_response/writeup.jsp?docid=2008-112203-2408-99>

 * MS08-067 Worm, Downadup/Conflicker -
   <http://www.f-secure.com/weblog/archives/00001576.html>

 * Social Engineering Autoplay and Windows 7 -
   <http://www.f-secure.com/weblog/archives/00001586.html>

 ____________________________________________________________________

   The most recent version of this document can be found at:

     <http://www.us-cert.gov/cas/techalerts/TA09-020A.html>
 ____________________________________________________________________

   Feedback can be directed to US-CERT Technical Staff. Please send
   email to <cert@cert.org> with "TA09-020A Feedback VU#889747" in
   the subject.
 ____________________________________________________________________

   For instructions on subscribing to or unsubscribing from this
   mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
 ____________________________________________________________________

   Produced 2009 by US-CERT, a government organization.

   Terms of use:

     <http://www.us-cert.gov/legal.html>
 ____________________________________________________________________

Revision History
  
  January 20, 2009: Initial release


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iQEVAwUBSXYqQnIHljM+H4irAQL9EAgAwE5XWd+83CTwTl1vAbDW3sNfCaucmj79
VmXJ+GktQorbcp29fktYaQxXZ2A6qBREJ1FfwlM5BT0WftvGppLoQcQO3vbbwEQF
M0VG5xZhTOi8tf4nedBDgDj0ENJBgh6C73G5uZfVatQdFi79TFkf9SVe6xn5BkQm
5kKsly0d/CX/te15zZLd05AJVEVilbZcECUeDVAYDvWcQSkx2OsJFb+WkuWI9Loh
zkB7uOeZFY9bgrC04nr9DPHpaPFd8KCXegsxjqN1nIraaCabfvNamriqyUFHwAhK
sk/DFSjdI6xJ4fXjDQ77wfgLYyTeYQ/b2U/1sqkbOTdCgXqSop5RrA==
=6/cp
-----END PGP SIGNATURE-----

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC