Wednesday, January 21, 2009

Disabling AutoRun...Doesn't Disable AutoRun?

The US-CERT has released advisory TA09-020A, "Microsoft Windows Does Not Disable AutoRun Properly".

Many organizations disable AutoRun as part of their default domain policy to prevent malicious programs from using autorun capabilities to spread malware. Sadly, Microsoft's current guidelines for disabling AutoRun are not completely effective.

From the alert:

The Autorun and NoDriveTypeAutorun registry values are both ineffective for fully disabling AutoRun capabilities on Microsoft Windows systems. Setting the Autorun registry value to 0 will not prevent newly connected devices from automatically running code specified in the Autorun.inf file. It will, however, disable Media Change Notification (MCN) messages, which may prevent Windows from detecting when a CD or DVD is changed. According to Microsoft, setting the NoDriveTypeAutorun registry value to 0xFF "disables Autoplay on all types of drives." Even with this value set, Windows may execute arbitrary code when the user clicks the icon for the device in Windows Explorer.
The solution is reasonably simple - inserting the following registry entry will disable AutoRun:
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
The US-CERT also recommends rebooting your system to prevent cached AutoRun information from continuing to allow mounted devices to be exploited.

No comments: