US-CERT naysays Microsoft security advisory

In Thursday's IT Blogwatch, Richi Jennings watches US-CERT's helpful augmentation of Microsoft's guidelines to prevent infection by the Conficker/Downadup worm. Not to mention Guitar Hero, circa 1982...

Gregg Keizer reports:

US-CERT logo
Microsoft Corp.'s advice on disabling Windows' "Autorun" feature is flawed, the U.S. Computer Emergency Readiness Team (US-CERT) said today, and it leaves users who rely on its guidelines to protect their PCs against the fast-spreading Downadup worm open to attack.
The flaw in Microsoft's guidelines are important at the moment, because the "Downadup" worm, which has compromised more computers than any other attack in years, can spread through USB devices, such as flash drives and cameras, by taking advantage of Windows' Autorun and Autoplay features.

Dan Goodin adds:

Downadup has managed to infect an estimated 9 million machines at last count using multiple attack vectors. Two of those vectors are USB flash drives and mapped network drives, which are booby-trapped with files that compromise machines that are configured to automatically connect to CD and DVD drives and other types of media.

Disabling the feature has long been a good idea, as the 2005 fiasco involving the Sony rootkit made clear ... With Downadup spreading like wildfire, disabling Autorun is an even better idea than ever.

Mark Edward Soper is super:

The Conficker/Downadup family of worms is a nasty bunch for several reasons ... Recent variants ... attach themselves to several processes, disable Windows security services such as Windows Defender, Windows Error Reporting Services, and others, and create a registry entry for faster propagation across a network ... [They] not only exploit the original Windows Server Service RPC Handling Remote Code variation, but can also spread through infected USB flash memory drives and by cracking weak network passwords. These latter methods are widely used by Conficker/Downadup to attack corporate networks ... Also infects mapped drives with autorun.inf files that spread the worm and blocks DNS requests to security sites to prevent downloading of updated antivirus and antimalware programs.
Conficker's payload - what it was designed to do - has not been triggered and is not yet known. What the developers of Conficker could do with millions of compromised PCs, the majority of which are on corporate networks, is frightening.

cbiltcliffe has seen it all before:

[Microsoft has] always been completely screwed up on anything whatsoever to do with autorun. It was a bad idea from the start, and it's just managed to get worse.

John Hasler's mind boggles:

Is it really true that you have to edit the registry to turn off autorun? There isn't any clicky? Amazing.

And finally...

Buffer overflow:

Other Computerworld bloggers:

Like this stuff? Subscribe to the RSS feed.

Richi Jennings is an independent analyst/adviser/consultant, specializing in blogging, email, and spam. A 23 year, cross-functional IT veteran, he is also an analyst at Ferris Research. You can follow him on Twitter, pretend to be Richi's friend on Facebook, or just use boring old email:

Previously in IT Blogwatch:

Copyright © 2009 IDG Communications, Inc.

Shop Tech Products at Amazon