Microsoft's advice on Downadup leaves users open to attack, says US-CERT
Instructions for disabling Windows' Autorun are flawed, security group says
Computerworld - Microsoft Corp.'s advice on disabling Windows' "Autorun" feature is flawed, the U.S. Computer Emergency Readiness Team (US-CERT) said today, and it leaves users who rely on its guidelines to protect their PCs against the fast-spreading Downadup worm open to attack.
In an alert issued on Monday, US-CERT said Microsoft's instructions on turning off Autorun are "not fully effective" and "could be considered a vulnerability."
The flaw in Microsoft's guidelines are important at the moment, because the "Downadup" worm, which has compromised more computers than any other attack in years, can spread through USB devices, such as flash drives and cameras, by taking advantage of Windows' Autorun and Autoplay features.
Autorun, the focus of the US-CERT warning, lets Windows automatically run any program specified in the "autorun.inf" on, for example, a CD or a flash drive, as soon as the disc or device is inserted or connected. By default, Windows has Autorun enabled.
The problem is that Downadup, which as of last week had infected nearly 9 million PCs worldwide, tries to spread using USB-based devices, typically flash drives. The worm creates an autorun.inf file at the root directory of any USB-based device it finds connected to the infected machine. Then, when that device is later connected to an uninfected computer, the autorun.inf file copies the worm to the machine without any action on the part of the user or the user even knowing.
The result: another PC hacked by Downadup.
Although Microsoft has not formally recommended that users disable Autorun as an anti-Downadup measure, most security companies and researchers have in light of the autorun.inf infection vector. According to US-CERT, Microsoft's advice is useless.
"The 'Autorun' and 'NoDriveTypeAutorun' registry values [specified by Microsoft] are both ineffective for fully disabling Autorun capabilities on Microsoft Windows systems," the organization said. "Setting the Autorun registry value to '0' will not prevent newly-connected devices from automatically running code specified in the Autorun.inf file. It will, however, disable Media Change Notification (MCN) messages, which may prevent Windows from detecting when a CD or DVD is changed."
Likewise, the recommended "0xFF" setting for the NoDriveTypeAutorun registry entry, which Microsoft says "disables Autoplay on all drives," won't protect users from infection if they happen to double-click on the drive's icon in Windows Explorer, said US-CERT.
Instead, users should make a different modification to the Windows registry, US-CERT said. In the alert, it gave the new value as well as instructions on how to copy it to Windows Notepad and import it into the registry.
"Once these changes have been made, all of the Autorun code-execution scenarios described above will be mitigated because Windows will no longer parse autorun.inf files to determine which actions to take," read the US-CERT warning.
One security researcher said he was surprised that Microsoft didn't catch its recommendation errors, particularly in light of the ongoing Downadup attacks. "Seems unbecoming of Microsoft not to have been the one posting this information on a blog of theirs," said Andrew Storms, director of security operations at nCircle Network Security Inc.
He also bemoaned the need to edit the registry to disable Autorun. "Not only [is] editing the registry outside the [reach] of most people, but now we have learned that the information from the source is not complete," Storms added in an exchange via instant messaging.
Microsoft did not immediately reply to a request for comment on US-CERT's alert.
- Downadup worm now infects 1 in every 16 PCs, says Panda
- US-CERT: Microsoft's advice on Downadup leaves users open to attack
- FAQ: How to protect your PC against the Downadup worm
- 'Amazing' worm attack infects 9 million PCs
- 1 in 3 Windows PCs vulnerable to worm attack
- Researcher: Worm infects 1.1M Windows PCs in 24 hours
- 'Huge increase' in worm attacks plagues unpatched Windows PCs
- Microsoft releases emergency Windows patch to head off worm attack
Read more about Security in Computerworld's Security Topic Center.
- Best Practices for Securing Hadoop Historically, Apache Hadoop has provided limited security capabilities. To protect sensitive data being stored and analyzed in Hadoop, security architects should use a...
- Top Tips for Securing Big Data Environments: Why Big Data Doesn't Have to Mean Big Security Challenges Organizations must come to terms with the security challenges they introduce. As big data environments ingest more data, organizations will face significant risks...
- 5 Ways Dropbox for Business Keeps Your Data Protected Protecting your data isn't a feature on a checklist, something to be tacked on as an afterthought. Download here to find out how...
- The Keys to Securing Data in a Collaborative Workplace Losing data is costly. IT professionals have spent years learning how to protect their organizations from hackers, but how do you ward off...
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different....
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!