US-CERT Says Microsoft's Advice On Downadup Worm Bogus 290
CWmike writes "Microsoft's advice on disabling Windows' 'Autorun' feature is flawed, the US Computer Emergency Readiness Team (US-CERT) said today, and it leaves users who rely on its guidelines to protect their PCs against the fast-spreading Downadup worm open to attack. US-CERT said in an alert that Microsoft's instructions on turning off Autorun are 'not fully effective' and 'could be considered a vulnerability.' The flaw in Microsoft's guidelines are important at the moment, because the 'Downadup' worm, which has compromised more computers than any other attack in years, can spread through USB devices, such as flash drives and cameras, by taking advantage of Windows' Autorun and Autoplay features."
Re:I'm a linux what's a worm? (Score:5, Informative)
November 2: The Morris worm, created by Robert Tappan Morris, infects DEC VAX and Sun machines running BSD UNIX connected to the Internet, and becomes the first worm to spread extensively "in the wild", and one of the first well-known programs exploiting buffer overrun vulnerabilities.
Comment removed (Score:5, Informative)
Re:Non-Windows User Here (Score:5, Informative)
Is it really true that you have to edit the registry to turn off autorun? There isn't any clicky? Amazing.
No it's not true. There are lots of ways to do it. The registry editor is just installed by default and pretty simple if you already know how to use it. TweakUI is a free addon Microsoft Powertoy that's worth having and gives you some control back.
http://www.annoyances.org/exec/show/article03-018 [annoyances.org]
http://antivirus.about.com/od/securitytips/ht/autorun.htm [about.com]
Re:Non-Windows User Here (Score:3, Informative)
To default turn it off you might have to. You can just hold shift and disable it temporary when you plug something in until the detection is finished.
Except it can still autorun in response to other events than plugging it in, like single clicking the drive or some applications that look for devices periodically.
Re:Even if it doesn't work... (Score:5, Informative)
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
@="@SYS:DoesNotExist"
Basically it just associates autorun.inf with a NULL system function as the default handler.
What DRM is that? (Score:4, Informative)
Seriously, what are you talking about? I see a lot of "Vista's evil DRM," tossed around, and very little in the way of specifics to back up what it does, which of course leads me to think the people doing the talking don't know what they are talking about.
So what DRM do you want to see disabled? Are you talking about HDCP, the DVI encryption? That's not MS's standard, by the way, DVD and Blu-ray players are where that's from. However, it is one of those things that you don't have to use if you don't want to. I have a Vista system connected to a monitor which has HDCP turned off (professional monitor, you can change the state manually). Means if the system required HDCP, I'd get no image. But it works fine. Reason is, HDCP is only required by Blu-ray playback software. Now you could disable it on the system, I suppose, but that'd gain you nothing. The software would just refuse to play. It wasn't as though MS said "Let's include this to fuck people." Rather it is required if you want to license Blu-ray playback.
So again, what DRM are you talking about? I'm tired of all this bitching from people who don't know what they are saying. If there is something in particular you object to, let's here what and why. Otherwise, please stop going on about thing you don't understand.
Re: what's a worm? (Score:5, Informative)
The machine took out more than a lot of mail servers, bringing them to a grinding halt for the duration.
Re:Non-Windows User Here (Score:3, Informative)
run services.msc OR Ctrl Panel -> Administrative Tools -> Services
stop and disable service: Shell Hardware Detection
No more auto-run or auto-play
Re:Non-Windows User Here (Score:5, Informative)
There's a right and wrong way to disable Windows Autorun [theregister.co.uk]
How to correct "disable Autorun registry key" enforcement in Windows [microsoft.com]
Re:Autorun has always been a vulnerability (Score:5, Informative)
Re:But MS doesn't want to totally disable autorun (Score:2, Informative)
Re:by taking advantage of ... users. (Score:3, Informative)
Microsoft introduced this when the only autorun capable device was a CD-ROM player and the only CD-ROMs where those manufactured. The idea of a "malware CD" was preposterous.
Any CD-based game for Windows was required to make use of Autorun/Autoplay in order to receive the Windows logo. It was designed to make inserting the disc with zero or minimal install operate like putting a cartridge or CD into a game console.
I am not familiar with any autorun capability on USB drives, but they have Autoplay. Autoplay requires the user's cooperation to do anything.
Re: what's a worm? (Score:3, Informative)
Perhaps it's more accurate to say that the Morris Worm did not carry a destructive payload. It's true that it brought down more than a few servers, but that was only because it spread so rampantly without -- as with many modern worms -- any kind of rate-limiting logic.
Re:Windows itself is a vulnerability. (Score:5, Informative)
Which is just not feasible sometimes. Every few weeks, someone I am working with -- yes, some of us must work with others on our computers -- brings me some files on a thumb drive. I have no choice but to plug that drive into my computer and deal with it, other than not getting my work done at all.
"Putting them in a limited user account and putting a good AV to scan whatever folder they are downloading crap to usually does the trick."
When I used to repair computers, I found that doing this invariably led to questions like, "Why can't I install [insert well known program name here]?" Windows systems really are not oriented toward this sort of security for single users who cannot just call up their helpdesk whenever they need some software installed.
"If you put these types on OSX or Linux they would break just as much as they do on Windows. They would just be loading "Hot_Pron_codec.dmg" or "killer_tune.sh" instead of an
Except that in OSX and Linux (and BSD and Solaris and all *nix systems) files have to be explicitly declared executable. A user receiving LatestPopSong.mp3.sh would just sit there confused and asking, "Why does it keep opening this song in a text editor? Why does my music player keep getting confused?" In distros that enable SELinux, you can have even more security -- for example, a policy that prevents programs which are not part of Firefox from writing to the Firefox configuration, which would prevent typical virus-installing-keylogger-in-web browser attacks that seem to be so common today; such a policy could be maintained by the distro packagers themselves; in fact, Fedora already gives the
Yes, if administered by experts, Windows can remain secure even when connected to the Internet, I will not deny that. Most single user Windows installations are not administered by experts, and unlike big name Linux distros, Microsoft does not have thousands of people tuning the Windows security policies, nor do they have tens of thousands (perhaps hundreds of thousands) of people fixing bugs.
Re:Non-Windows User Here (Score:4, Informative)
I would be, if it was true. It isn't. Autoplay, something completely different that was introduced in XP is there for USB devices but not Autorun. Autoplay requires user interaction to do anything, which is why the whole folder icon fooling people is a big deal.
If I get you to click on a link that says you get $1000 for clicking on the link but it really installs software (requiring more clicks to approve) and you do it anyway - and keep confirming it, over and over, I'd say it is your own fault.
Re:Non-Windows User Here (Score:4, Informative)
Re:What DRM is that? (Score:4, Informative)
Yes, and I love Vista's audio system. Wonderful implementation. Vista gets quality sound, from an arbitrary number of apps on any soundcard. It does high quality (32-bit floating point) software mixing of all audio streams. So even if you have a cheap Sigmatel integrated chipset, you get good results. No longer do you need to buy a soundcard with hardware mixing to get good sound. Likewise, you can control the volume on individual apps, regardless of if they wish to provide volume control or not. Useful for web browsers. You get sites that want to make noise at you, you just mute the browser, while still listening to music. It's resampling engine is also great. It opens up the sound card in the mode you tell it to, and resamples all audio to that. In XP if you had an old app that used a low sample rate, the soundcard would be opened in that and any other apps that played at the same time would be downsampled. Not a problem in Vista, you specify the rate, it handles the conversion.
Also works great for pro audio. WDM/KS still works just like it did before, and indeed Vista will allow KS apps to take exclusive control over the card if needed. Also ASIO works fine, it rides along side the Vista audio system and isn't affected by it. Then there's the new WaveRT mode. Not a whole lot of support yet, but form playing with it is is excellent. Extremely low latency, low CPU usage, and low glitches. Wonderful for realtime sound on sound stuff.
So personally, I think Vista's audio system is a real step up. I like the way it works with my consumer apps, I like the way it works with my pro apps.
Re:You'll still have to keep ahead of the tide (Score:5, Informative)
I remember the days pre-Windows when UNIX vendors were cursed and sworn at because they didn't patch the latest bugs quickly.
People will attack whatever operating system gives them the most bots for the buck. If the predominant OS is a UNIX, then it will be invisible .ko/.kext modules that will be the sysadmin's bane.
Right now, there are two main attack vectors other than the PEBKAC "hole" and social engineering. The first, a direct attack on a machine, can be mitigated by a solid firewalling router, so an attacker has to deal with a hardened attack surface before touching the more chewy machines behind it.
The second attack vector is the Web browser. It is in constant contact with untrusted code. To secure this beast takes more than just good defensive programming because even with a solid browser, a third party plugin might cause issues. It takes cooperation on multiple levels, where the OS has hooks to run the browser in a sandbox, but yet allow it to have upload/download functionality that users want. Vista's protected mode of IE7 is a great start, but all Web browsers need this protection, whether it be done by SELinux type profiles that exist in various Linux distros, or actual virtual machines that completely roll back all changes except to the bookmarks when the user is done and closes the browser session. Solving this problem will close a lot of potential security threats.
Finally, autorun just needs to go, and be replaced by a different, more secure system. Autoplay can stay, but it should never run anything other than showing the root of a CD or DVD, or pulling up a media player if a CD or DVD is inserted. In no way should an executable ever be automatically executed by default. Its just too easy these days to make a U3 flash drive with a bogus CD partition with malware present.
Re:Hmmm... (Score:2, Informative)
Little tip for anyone who has "morons" in the family.
On each new USB device, create a folder (important, MUST be a folder, NOT a file), called autorun.inf. Then set the attributes on that file to +S +H +R +A (system, hidden, read only, archive).
Voila, whatever PC they promiscuously stick their USB in, this attack vector is null and void, as the virsu cannot overwrite a folder with a file of the same name.
YMMV, but since learning this tip, my missus and kids have brought home zero nastys from work, school, college etc.
Re:Concerned: Anybody else using MS Update Service (Score:3, Informative)
Unfortunately KB950582 [microsoft.com] was not classified as a required security patch for Windows XP, and consequently not included for distribution in Windows Update or WSUS.
Re:Windows itself is a vulnerability. (Score:3, Informative)
SELinux goes a long way toward containing viruses, as long as the distro maintains decent default policies. For example, only files from the Mozilla packages should be able to modify ~/.mozilla/ or any files in that directory, and Fedora's SELinux policy puts those files in their own context.
So, when I want to use vi to edit one of the text files that are used to configure Firefox, I can't?
Although this might be more secure, I call it just a pain in the ass. Most of the SELinux policies fall into this category, although a few are just a pain in the ass without being any more secure. Add the following to your .bashrc to work around one of them:
iptables-save() {
/sbin/iptables-save $* | cat -
}
If this same sort of hack works with the Mozilla SELinux policy, then all you would need to do is read the files from the ~/.mozilla directory, write out any changes to someplace like /tmp, then "download" the files from /tmp using Firefox and store it in the correct place in ~/.mozilla. I'll bet, though, that all that would be required is the "pipe it through a trusted program" hack would work, too.