Forgot your password?
typodupeerror
Security Microsoft United States

US-CERT Says Microsoft's Advice On Downadup Worm Bogus 290

Posted by samzenpus
from the protect-yourself-at-all-times dept.
CWmike writes "Microsoft's advice on disabling Windows' 'Autorun' feature is flawed, the US Computer Emergency Readiness Team (US-CERT) said today, and it leaves users who rely on its guidelines to protect their PCs against the fast-spreading Downadup worm open to attack. US-CERT said in an alert that Microsoft's instructions on turning off Autorun are 'not fully effective' and 'could be considered a vulnerability.' The flaw in Microsoft's guidelines are important at the moment, because the 'Downadup' worm, which has compromised more computers than any other attack in years, can spread through USB devices, such as flash drives and cameras, by taking advantage of Windows' Autorun and Autoplay features."
This discussion has been archived. No new comments can be posted.

US-CERT Says Microsoft's Advice On Downadup Worm Bogus

Comments Filter:
  • by John Hasler (414242) on Wednesday January 21, 2009 @09:58PM (#26555715) Homepage
    Is it really true that you have to edit the registry to turn off autorun? There isn't any clicky? Amazing.
    • by Ilgaz (86384)

      Aren't you shocked that Autorun on USB class device (key) is enabled by default?

      • by cdrguru (88047) on Wednesday January 21, 2009 @11:21PM (#26556255) Homepage

        I would be, if it was true. It isn't. Autoplay, something completely different that was introduced in XP is there for USB devices but not Autorun. Autoplay requires user interaction to do anything, which is why the whole folder icon fooling people is a big deal.

        If I get you to click on a link that says you get $1000 for clicking on the link but it really installs software (requiring more clicks to approve) and you do it anyway - and keep confirming it, over and over, I'd say it is your own fault.

        • by EvanED (569694)

          Autorun also works if the flash drive pretends it's something else, like a USB CD drive. Then Windows will allow autorun. There are entire lines [u3.com] of USB drives that have this (mis)feature.

          • by Ilgaz (86384)

            Funny is, they copy everything from OS X regarding ease of use but they don't stop a second and think why Apple, the king of usability stayed away from autorun/auto play. Doesn't Apple have a similar feature? Of course, if you set a special bit/file (not sure, Roxio Toast and Apple does it), it auto opens a Finder window when CD/DVD inserted only showing its contents and nothing else.

            If it wasn't shouting "security/stability risk", Apple would put that feature back in MacOS days.

    • by Neoprofin (871029)
      To default turn it off you might have to. You can just hold shift and disable it temporary when you plug something in until the detection is finished.
      • Re: (Score:3, Informative)

        To default turn it off you might have to. You can just hold shift and disable it temporary when you plug something in until the detection is finished.

        Except it can still autorun in response to other events than plugging it in, like single clicking the drive or some applications that look for devices periodically.

        • by Neoprofin (871029)
          Hey, my XP installs have autorun stripped out, I was just answering his question about "clickies". There is a key for it.
      • by lysergic.acid (845423) on Wednesday January 21, 2009 @11:57PM (#26556489) Homepage

        that doesn't really provide true protection against all AutoRun attacks.

        USB/flash drive-based attacks typically work by creating an autorun.inf file that replaces the default action for that device. by default, XP would simply prompt the user with a list of AutoPlay actions to take (with the AutoRun-specified action selected) when the drive is plugged in. if you "disable" AutoRun, then that menu won't pop-up, but that is arguably more dangerous; the reason being that when the AutoPlay menu pops up the user has a chance to see that an unfamiliar action has been added/selected.

        if a computer-savvy user plugs in their iPod/PSP/thumbdrive and the AutoPlay menu shows some strange new action and program icon, they are going to be suspicious. they will likely select the "Open folder to view files using Windows Explorer" action to browse the volume and probably detect the malware and autorun.inf file.

        now, a typical scenario when AutoPlay is disabled is that a user will plug in an infected flash drive, open up My Computer, and proceed to double-click on the removable volume to open it for browsing. however, whether or not AutoPlay/AutoRun is enabled, an autorun.inf file can replace the default action for that volume. and this time the user has absolutely no warning (unless the malware author is dumb enough to replace the volume's icon and advertise the presence of the virus). i mean, how often do you actually right-click on a volume to select "Open" from the context menu or to check its default action? most people are in the habit of simply double-clicking on a drive icon to browse its contents.

        then there's the matter of dual-filesystem flash drives. because Microsoft places the interests of the RIAA ahead of the interests of their customers, they've used AutoRun to implement a rather dangerous DRM mechanism. if CDFS is detected on any removable volume, Windows automatically assumes that it is a protected CD and will launch any program specified by autorun.inf. this functionality will work whether or not you have configured Windows to allow AutoRun or not, and you cannot bypass it by holding down the "shift" key. but that can only be expected when you have DRM that's designed to "protect" the system from its user/owner.

        • by Neoprofin (871029)
          The man just wanted to know if there wasn't a "clicky" to turn off autorun, I didn't say it fixed the problem.
    • by syousef (465911) on Wednesday January 21, 2009 @10:07PM (#26555787) Journal

      Is it really true that you have to edit the registry to turn off autorun? There isn't any clicky? Amazing.
      No it's not true. There are lots of ways to do it. The registry editor is just installed by default and pretty simple if you already know how to use it. TweakUI is a free addon Microsoft Powertoy that's worth having and gives you some control back.

      http://www.annoyances.org/exec/show/article03-018 [annoyances.org]
      http://antivirus.about.com/od/securitytips/ht/autorun.htm [about.com]

      • by KindMind (897865) on Wednesday January 21, 2009 @10:35PM (#26556013)
        The Register says that the US-CERT article is based on an old MS article, and has since updated.
        There's a right and wrong way to disable Windows Autorun [theregister.co.uk]
        How to correct "disable Autorun registry key" enforcement in Windows [microsoft.com]
      • by arminw (717974)

        ... and pretty simple if you already know how to use it....

        Brain surgery and rocket science are also easy if you already know how to do these. To those that don't have the ability, the time, nor the desire to go to the trouble of learning the arcane art of registry editing, the best thing to do is to choose an OS that doesn't have a registry and is not subject to any of the nearly 100,000 instances of malware made specifically for hapless Windows users. There is little or nothing that the intelligent users

        • by syousef (465911) on Wednesday January 21, 2009 @11:44PM (#26556387) Journal

          Brain surgery and rocket science are also easy if you already know how to do these

          Let me get this straight. You're comparing opening up regedit, browsing through a tree of values, and modifying one with brain surgery and rocket science??? You call it "the art of registry editing". I could teach any even semi-competent person how to use regedit in an hour max assuming nothing more than windows knowledge.

          As for the abomination that is the windows registry I agree it's awful and for more than just the reasons you point out, but it's no harder to change a single registry entry than to change an ini file field value. I wouldn't compare the use of notepad to edit an ini file to brain surgery or rocket science either.

          • by arminw (717974)

            ...I could teach any even semi-competent person....

            That wasn't my point. Anything is easy once you know how to do it, including rocket science. There are some people intelligent and motivated enough to learn it. There are after all rocket scientists who are still merely human. I have no doubt that you can teach a person to use regedit. The question is one of wanting or needing to, just to keep a computer secure. There are automobile owners who also learn how to rebuild their engines or automatic transmissio

          • Re: (Score:3, Insightful)

            by SL Baur (19540)

            You're comparing opening up regedit, browsing through a tree of values, and modifying one with brain surgery and rocket science???

            Hey! `FOR I = 1 . 10' once crashed a space probe.

            Apparently it *is* beyond rocket science.

        • by X0563511 (793323)

          For games, there are dedicated devices that are cheaper and better.

          Says the one that hasn't seen a new game on new hardware connected to a very large TV screen... I'm not arguing about cheaper, but don't try to tell me a console is better.

        • by nlawalker (804108)

          brain surgery and rocket science

          Funny you should say that; I think a comparison between the registry and a command line interface is pretty valid. Powerful if you know how to use it, dangerous if you don't, and a lot of people use it only when given specific instructions (a specific key or command) by someone else.

    • Re: (Score:3, Informative)

      by TubeSteak (669689)

      run services.msc OR Ctrl Panel -> Administrative Tools -> Services
      stop and disable service: Shell Hardware Detection

      No more auto-run or auto-play

      • Bingo!

        It does not matter the name,
        if software executes beyond user control.
        Auto-run, auto-play.

        It should be called Auto-Blackmagic.

    • by Repton (60818)

      When I set up a Windows XP computer, I use TweakUI [microsoft.com] to disable autorun for all drives and all media types.

      I hope that is sufficient...

    • Re: (Score:3, Funny)

      by symbolset (646467)

      You clearly underestimate the necessity of such a useful feature as autorun. Sure, Microsoft innovates in this area, but the feature is becoming more common in all devices.

      My cell phone has auto-answer. My dvr has auto-record. My paper shredder even automatically runs when you put paper in.

      There is a downside of course. The auto-run on the disposal has mangled a fork and a few spoons. The auto-run on the table saw was the most disconcerting, but if you're on your toes about precautions nothing bad wi

  • by Anonymous Coward on Wednesday January 21, 2009 @10:04PM (#26555759)

    It makes me feel a bit dizzy every time I think that this "feature" is enabled by default. It's a feature in the same way that an online banking system might feature login without a password, "just type your name to instantly access your account!" It saves the user a tiny hassle against an opportunity for absolute catastrophe.

    Autorun is high on my list of stuff to disable very shortly after installing a fresh copy of Windows.

    And it's not like it's a secret that this is a vulnerability. There's a reason Apple abandoned this capability when it moved from OS 9 to OS X.

    Microsoft deserves derision for continuing to offer and promote this feature.

    If Microsoft can't be bothered by it, nor convinced it's a very, very, bad idea, then autorun should at be limited exclusively to CDs and DVDs. That would merely be a terrible idea, as opposed to a downright catastrophic one.

    Does Windows Vista or Window 7 handle this differently than XP??

  • Wrong link (Score:5, Informative)

    by asifyoucare (302582) on Wednesday January 21, 2009 @10:04PM (#26555767)

    Why link to a computerworld article about CERT's advice when you could link directly to the CERT article [us-cert.gov]?

    The computerworld article adds little.

  • Even though autorun is like one of the dumbest ideas ever, MS thinks of it as a COOL FEATURE and disabling it is going to break the COOL AUTOMATION that they have sold your grandma, who will no longer be able to just plug her camera into the computer and have it do its thing automatically. Their users might have to THINK which we all know is a bad thing, especially if you are thinking about how well your Microsoft product works.
    • Re: (Score:2, Informative)

      by Ithaca_nz (661774)
      1. If autorun is running an arbitrary executable on removable media just because, then yes, I would consider it one of the more idiotic ideas that has come up. 2. If autorun is running a known application already installed on the PC when a recognised device type is connected, then no it's not the "dumbest idea ever". There's no technical reason that you need (1) active to support (2). Whether there is a way to separately disable them in Windows is another question. (anyone have an answer to that?)
    • Auto starting an application to display and download photos from a camera is not the same as running an executable that is found on the camera. One can be done without the other.
    • Actually in Vista (and XP SP3, or is it 2?) Autorun by default shows a dialog asking you what you want to do with the software, it doesn't run anything on the device/CD unless you explicitly select that option.
    • by Ilgaz (86384)

      Autorun thing was "invented' on Windows 95 right? There were thousands of evil MS-DOS viruses back that time which are sometimes way more advanced than the Visual basic junk of today.

      What makes me shrug is that fact. It is not like MS-DOS was virus free and they already had reports of windows 3.1 breaking because of DOS viruses. First thing they invent on a DOS Hybrid OS? Autorun which will run anything said on autorun.inf file. Well, lets say in Windows 95 times, a CD-R really costed too much. What about W

  • by Animaether (411575) on Wednesday January 21, 2009 @10:17PM (#26555865) Journal

    "by taking advantage of Windows' Autorun and Autoplay features"
    well no, not really.

    Granted, they take advantage of the fact that...
    1. there is an autorun feature. Is that so horrible? Probably not.
    2. that the autorun feature pops up a display letting the user choose what to do (i.e. run the program, browse the drive, view pictures if it finds them, etc.). Again, not so bad.
    3. that the autorun feature lets you customize the icon. Okay, things get a little hairy here - it's nice when the icon fits the program, but this malware uses the icon of... a folder. Just like the 'browse the disc/device' icon.
    4. that the autorun feature does not have a -clear- distinction between what are autorun directives (run the program), and what are windows' built-in features (browse the drive).

    The fourth is nearly inexcusable and if handled well, it would alleviate the third as well - just put a big red border around the darn thing (is one option, anyway).

    In the end, though, it doesn't exploit 'autorun' directly - it exploits the fact that many users will think that the option with the folder icon with (misleading) description is the regular 'browse drive' option and click it carelessly.

    • You really do a good job, but defending "autorun" is just preposterous. This was always obviously a dire security hole, but Microsoft still (???) denies it is a bug. They responded to criticism only by adding another layer and making it harder to turn off. Automounting is a positive feature, but auto-execution by default is an anti-feature. Even if it were opt-in it would be bad design.

      • This was always obviously a dire security hole, but Microsoft still (???) denies it is a bug.

        It's not a bug. It's a misfeature. There are a huge number of very good reasons to have it (half the population or so), it's just that there are stronger reasons that it's bad.

      • Re: (Score:3, Informative)

        by cdrguru (88047)

        Microsoft introduced this when the only autorun capable device was a CD-ROM player and the only CD-ROMs where those manufactured. The idea of a "malware CD" was preposterous.

        Any CD-based game for Windows was required to make use of Autorun/Autoplay in order to receive the Windows logo. It was designed to make inserting the disc with zero or minimal install operate like putting a cartridge or CD into a game console.

        I am not familiar with any autorun capability on USB drives, but they have Autoplay. Autopl

        • by Compholio (770966)
          Some USB flash drives have features that allow them to show up as CD-rom drives as far as Windows is concerned. I've personally never tried to play with this feature to get it to load something other than the manufacturer intended - but I do know that when you plug these drives in on Windows that they do not prompt you before launching their autorun application.
    • there is an autorun feature. Is that so horrible? Probably not.

      Yes, actually it probably is a horrible feature which hurts most precisely those whom it was meant to help (i.e. the barely computer literate people). Everyone that I know who knows about this feature or cares at all about security turns it off. At the very least, if an OS is going to include this type of feature then it should be tied in with a trusted source system, using public key cryptography and certificates for example, so that only trusted sources can use the autorun feature (assuming that is turned

  • TweakUI anyone? (Score:3, Interesting)

    by whoever57 (658626) on Wednesday January 21, 2009 @10:23PM (#26555909) Journal
    Why did neither MS or CERT suggest the use of TweakUI to turn off Autorun?
    • by rodgster (671476)

      Does anyone know for certain if disabling autorun on all drives using tweakui eliminates the attack vector?

  • Many Microsoft screw ups could be managed by changing its default settings, but unfortunately Windows caters to Grandmothers who can't follow complicated instructions such as go to run, type d:\start.exe, much less mount /dev/hdc -t iso9660 -r /cdrom, or sudo apt-get install omgponies. What really pisses me off is that the simple tools for managing common system administration is not even included with the home version, which is the version that needs the admin tools because it is more likely to be infecte
    • Re: (Score:3, Funny)

      by grumling (94709)

      Reading package lists... Done
      Building dependency tree
      Reading state information... Done
      E: Couldn't find package omgponies

      Hey... That didn't work.

    • by afidel (530433)
      They should have an XP tech version that allows you to increase TCP connections, and import policies without Active Directory, and allow more that 10 SMB connections, and be able to update other XP boxen with its own installed Windows patches.

      They do, it's called Windows Server 2003 with WSUS installed =)
  • Just install the update that Microsoft released in October?

Those who do not understand Unix are condemned to reinvent it, poorly. - Henry Spencer, University of Toronto Unix hack

Working...