Microsoft Corp. late Wednesday countered claims by the U.S. Computer Emergency Readiness Team (US-CERT) that its advice for disabling Windows' Autorun feature was flawed, prompting US-CERT to update an alert that it had issued earlier in the day.
"US-CERT has updated their post about Autorun, pointing to Microsoft Knowledge Base (KB) Article 953252," said Microsoft spokesman Bill Sisk in an e-mail. "This KB article was published in May 2008."
The support document Sisk referred to, titled "How to correct 'disable Autorun registry key' enforcement in Windows," acknowledged that Microsoft's older guidelines "did not correctly disable Autorun features" and told users to download an update to make the registry tweak work.
Sisk was responding to questions posed after US-CERT -- the U.S. Department of Homeland Security's cybersecurity coordination group -- said Microsoft's instructions for turning off Autorun were "not fully effective" and "could be considered a vulnerability."
Microsoft's Autorun recommendations, said US-CERT then, were important because of the rapid spread of "Downadup," a worm that has infected an estimated 6% of all PCs worldwide. Downadup, which has received considerable attention because it exploits a bug that Microsoft patched with an emergency fix in October 2008, can also spread through USB devices such as flash drives using Windows' Autorun and Autoplay features.
US-CERT modified its Wednesday alert to acknowledge that it had overlooked the May support document, but it has not pulled the original warning or altered the title, "Microsoft Windows Does Not Disable AutoRun Properly."
Even as it updated the alert, however, US-CERT said that most Windows users would have to manually go to Microsoft's Web site to grab the KB953252 update.
"Note that this fix has been released via [Windows] Update to Windows Vista and Server 2008 systems as part of the MS08-038 Security Bulletin," said the security organization, talking about a July 2008 patch. "Windows 2000, XP and Server 2003 users must install the update manually."
Microsoft has not issued the KB953252 update to Windows 2000, XP or Server 2003 systems via Windows Update or the corporate-oriented Windows Server Update Services (WSUS).
US-CERT confirmed that the KB653252 update does fix the bug it had pointed out the day before. "Our testing has shown that installing this update and setting the NoDriveTypeAutoRun registry value to 0xFF will disable Autorun," said US-CERT.
Links to the necessary Windows 2000, XP and Server 2003 updates can be found on Microsoft's site.