US-CERT Says Microsoft's Advice On Downadup Worm Bogus 290
CWmike writes "Microsoft's advice on disabling Windows' 'Autorun' feature is flawed, the US Computer Emergency Readiness Team (US-CERT) said today, and it leaves users who rely on its guidelines to protect their PCs against the fast-spreading Downadup worm open to attack. US-CERT said in an alert that Microsoft's instructions on turning off Autorun are 'not fully effective' and 'could be considered a vulnerability.' The flaw in Microsoft's guidelines are important at the moment, because the 'Downadup' worm, which has compromised more computers than any other attack in years, can spread through USB devices, such as flash drives and cameras, by taking advantage of Windows' Autorun and Autoplay features."
Re:Windows itself is a vulnerability. (Score:3, Insightful)
Non-Windows User Here (Score:5, Insightful)
Would like to see a worm disable Vista's DRM (Score:1, Insightful)
Would like to see a worm disable some of Microsoft's DRM and see how fast they come out with a working patch.
Autorun has always been a vulnerability (Score:3, Insightful)
It makes me feel a bit dizzy every time I think that this "feature" is enabled by default. It's a feature in the same way that an online banking system might feature login without a password, "just type your name to instantly access your account!" It saves the user a tiny hassle against an opportunity for absolute catastrophe.
Autorun is high on my list of stuff to disable very shortly after installing a fresh copy of Windows.
And it's not like it's a secret that this is a vulnerability. There's a reason Apple abandoned this capability when it moved from OS 9 to OS X.
Microsoft deserves derision for continuing to offer and promote this feature.
If Microsoft can't be bothered by it, nor convinced it's a very, very, bad idea, then autorun should at be limited exclusively to CDs and DVDs. That would merely be a terrible idea, as opposed to a downright catastrophic one.
Does Windows Vista or Window 7 handle this differently than XP??
Re:Windows itself is a vulnerability. (Score:3, Insightful)
Vista is the most secure windows OS, probably. "most secure" != "secure".
This worm is evidence that they still have a long way to go.
by taking advantage of ... users. (Score:5, Insightful)
"by taking advantage of Windows' Autorun and Autoplay features"
well no, not really.
Granted, they take advantage of the fact that...
1. there is an autorun feature. Is that so horrible? Probably not.
2. that the autorun feature pops up a display letting the user choose what to do (i.e. run the program, browse the drive, view pictures if it finds them, etc.). Again, not so bad.
3. that the autorun feature lets you customize the icon. Okay, things get a little hairy here - it's nice when the icon fits the program, but this malware uses the icon of... a folder. Just like the 'browse the disc/device' icon.
4. that the autorun feature does not have a -clear- distinction between what are autorun directives (run the program), and what are windows' built-in features (browse the drive).
The fourth is nearly inexcusable and if handled well, it would alleviate the third as well - just put a big red border around the darn thing (is one option, anyway).
In the end, though, it doesn't exploit 'autorun' directly - it exploits the fact that many users will think that the option with the folder icon with (misleading) description is the regular 'browse drive' option and click it carelessly.
Re:Hmmm... (Score:5, Insightful)
Although Microsoft has not formally recommended that users disable Autorun as an anti-Downadup measure, most security companies and researchers have in light of the autorun.inf infection vector.
The "recommendation" referred to is almost two years old [microsoft.com] and has nothing to do with the worm. Article is a troll pretty much. One support article is for disabling Autorun on CD-ROMs, while the other is for Autoplay. Neither was created specifically to support Downadup as far as I can tell.
So no, not really suspicious at all. Bad on the "researchers" who have pointed to those articles for protection.
Comment removed (Score:5, Insightful)
Default settings are a blessing and a burden (Score:2, Insightful)
Comment removed (Score:5, Insightful)
Re:Default settings are a blessing and a burden (Score:1, Insightful)
and yet Apple has had no problem catering to that market without adding autorun to their system. Hell the install process for most apps on a mac are "Drag this to your Applications folder."
Re:Non-Windows User Here (Score:5, Insightful)
that doesn't really provide true protection against all AutoRun attacks.
USB/flash drive-based attacks typically work by creating an autorun.inf file that replaces the default action for that device. by default, XP would simply prompt the user with a list of AutoPlay actions to take (with the AutoRun-specified action selected) when the drive is plugged in. if you "disable" AutoRun, then that menu won't pop-up, but that is arguably more dangerous; the reason being that when the AutoPlay menu pops up the user has a chance to see that an unfamiliar action has been added/selected.
if a computer-savvy user plugs in their iPod/PSP/thumbdrive and the AutoPlay menu shows some strange new action and program icon, they are going to be suspicious. they will likely select the "Open folder to view files using Windows Explorer" action to browse the volume and probably detect the malware and autorun.inf file.
now, a typical scenario when AutoPlay is disabled is that a user will plug in an infected flash drive, open up My Computer, and proceed to double-click on the removable volume to open it for browsing. however, whether or not AutoPlay/AutoRun is enabled, an autorun.inf file can replace the default action for that volume. and this time the user has absolutely no warning (unless the malware author is dumb enough to replace the volume's icon and advertise the presence of the virus). i mean, how often do you actually right-click on a volume to select "Open" from the context menu or to check its default action? most people are in the habit of simply double-clicking on a drive icon to browse its contents.
then there's the matter of dual-filesystem flash drives. because Microsoft places the interests of the RIAA ahead of the interests of their customers, they've used AutoRun to implement a rather dangerous DRM mechanism. if CDFS is detected on any removable volume, Windows automatically assumes that it is a protected CD and will launch any program specified by autorun.inf. this functionality will work whether or not you have configured Windows to allow AutoRun or not, and you cannot bypass it by holding down the "shift" key. but that can only be expected when you have DRM that's designed to "protect" the system from its user/owner.
I don't htink they could (Score:3, Insightful)
If they don't support it, they can't play Blu-ray (and HD-DVD before that went under). Ok well what is the average consumer going to do: Blame the AACS-LA, or which ever nebulous industry licensing authority is responsible, or blame the OS maker?
Goes double since the media industry doesn't have to knuckle under. Remember most people watch movies on their TVs. While it isn't a trivial amount who watch on computers, it isn't the majority either. Thus they can get away with just selling to people with players while users scream at MS for "not supporting HD". Besides, you know Apple would (they do) and would use it as a marketing point.
So I see their choice as the correct one. It gives the consumers the most options. The OS works just fine with no HDCP unless it is demanded. If it is demanded, it is supported.
Besides, you can just as easily argue that nVidia, ATi and Intel should have killed it. If the graphics adapter doesn't support it, it's a moot issue. However they do.
Re:Windows itself is a vulnerability. (Score:3, Insightful)
Just because you've never noticed them doesn't mean you've never gotten a virus. Modern viruses are more intended to be quiet and do their spamming/backdoor thing these days, since users who find them may attempt to remove them.
And no, antivirus is not much protection.
Re:Non-Windows User Here (Score:3, Insightful)
You're comparing opening up regedit, browsing through a tree of values, and modifying one with brain surgery and rocket science???
Hey! `FOR I = 1 . 10' once crashed a space probe.
Apparently it *is* beyond rocket science.
Comment removed (Score:3, Insightful)
RANT / was(Re:I'm a linux what's a worm?) (Score:5, Insightful)
chkrootkit, tripwire, clamav, shorewall, john-the-ripper, and snort run on a lot of systems considered super secure by their users.
Some people consider their systems super secure because they know they are not they guess they are.
The question on freebsd-security a few years ago was what was the best way to avoid denial of service attacks if you are logging to lpr. (one of the obvious suggestions is do not log repeated messages, just the number of times the message has repeated. this will increase the work required to kill your server by running through all the paper and hanging until more boxes of paper are fed to the printers.)
That was the same list that made me realize that you should not have passwords on multiuser systems, or servers in general.
Do you really think that people use passwords like this
makepasswd --char=32 --count=10
CLWwBsm1c15IFadg4KTjrHhCBjFP8RNI -- for slashdot
RLQaXqSEfRHgLnwjjbgoJU5y4Uya2hM6 -- for gmail
NebgFMATH990vB8US8CE4zMgeR7uum02 -- for Administrator
SFa0qT5nIQuLYtTsq44I8336ghEBApiD -- for user account
smcruMr8rzE6PFHzus8AmPcIoKNFy0Rh -- for facebook
L6wynpgAHoINdQm2CWwXdfSiJrBzQ8YG -- for myspace
Q3D1JBVXtgPNNo4bm16WAcKPMhox8s6C -- for banking
L1hEhuisoFcnoyGEYxPYqW8Hq4Qs2EmY -- for retirement account
2RqaobNEKyQIIoUVoFPty6EruLQhVE0F -- for work login
s0zJFsLiWCSN0e5fCEvpi48GV4D0PjyH -- for paypal
Phishing sites are one of the best ways to effectively get the information and tools needed to illicitly act on behalf of someone else.
At some point public key logins via ssl will become the norm, until then, passwords will be the week point in most systems.
Realize that even though debian had the ultra limp ssl keys generated it was still seems to be more productive to use password guessing than trying to try brute forcing an almost known key. Passwords suck that bad.
I would not be surprised if a sizable number of systems (more than 10%) in Arizona could be broken into this week with a dictionary attack of:
cardinals
cardina1s
Cardina1s
For those that want an analogy, imagine zoning laws that required NORAD style doors on all buildings and twenty percent of the population deciding that it is stupid and refusing to lock their doors. You would have a situation similar to the computer landscape today.
Re:Hmmm... (Score:2, Insightful)
Neither article describes how to stop the autorun.inf file from being processed on all removable media
So, IS there a way to stop the autorun.inf file from being processed on all removable media?
And I think that is the main point made by the article - yeah, sure, with a bit of spin too. With all the qualifications you have on your statements, you are technically correct. However, if there are no clear instructions on how to stop the autorun.inf file from being processed on ALL media, removable or otherwise, Microsoft should provide them or explicitly say that it isn't possible. And the researchers could probably approach Microsoft in a less accusatory manner. People just want to keep their systems safe.