The Oldest Un-Patched Microsoft Vulnerability

It is the longest standing un-patched Microsoft vulnerability I know of, and Microsoft calls it a “feature”. Microsoft calls it “autorun”, I call it “auto-infect”.  The idea of autorun is to attempt to make it so that a person can use a computer with a minimum amount of knowledge. This emphasis away from education is part of the reason why cybercrime is so effective and so widespread. The way autorun works is that when you use removable media, such as a USB key, a CD, etc., Windows will automatically look for a file called “autorun.inf” and if it is there then Windows will do what the file says to do. The idea was that a user doesn’t have to know how to double click on setup.exe, they just put a CD or USB key in and the program runs itself. The problem is that the bad guys know that and often use autorun to install malicious software as soon as a USB drive is plugged in.

In 2008 more than 1 out of every 15 threats we detected were using autorun.inf to help infect users. In January, nearly 1 out of every 10 threats we detected at ESET used autorun. Microsoft does not provide a truly effective solution for disabling autorun and the partial solution they suggest is cumbersome. My friend, Michael Horowitz, who blogs at http://blogs.computerworld.com/horowitz, recently shared a real solution with me. You can read more about it on his blog from January 30th (http://blogs.computerworld.com/the_best_way_to_disable_autorun_to_be_protected_from_infected_usb_flash_drives). The fix works with XP and Vista.

Here’s where it gets a little bit techie. The fix involves creating a registry key. Michael provides a link to a program to do this on his blog, but I’ll tell you how to create the file here.

You need to use something like notepad, or if you use Word, then you must save the file as a plain text file, not a document. The file extension must be .reg. alternately, you can create the registry key by hand if you are so inclined.

Here are the contents of the registry file. You can copy and paste everything between the dashed lines into your file. You might name it, noautorun.reg, but the name isn’t as important as the final extension.

Please note, the second line wraps, but it is really a single line.

——————————————————————————————
REGEDIT4
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionIniFileMappingAutorun.inf]
@="@SYS:DoesNotExist"
——————————————————————————————

When you create and then run the registry file it create a key called Autorun.inf in HKLM/Software/Microsoft/Windows Nt/Currentversion/IniFileMapping . The value of the key is @=@SYS:DoesNotExist.

For extra security you can go to the new autorun.inf key and set some special permissions. I go into the special permissions, add “everyone” and then deny all access except to read and query the key. This should prevent malicious software from changing the value of the key in almost all cases.

The Microsoft solution is ineffective and breaks Windows Media Player. When you use Microsoft’s solution, each time you change a CD for Media player you have to close and re-open Windows Media player for it to recognize the new disk. With the solution I am suggesting Windows media player still recognizes when you change a disc.

Giving credit where it is due, a guy named Emin Atac came up with this approach. There are few known side effects of this approach and none are as bad as the side effects of allowing auto-infect, er… autorun.

To undo the modification you can manually delete the key that was created, or use the same reg file, but place a minus sign in front of the second line… right before [HKEY….

If you have questions about this or any general security topics, feel free to email me at askeset@eset.com

Randy Abrams
Director of Technical Education

Author ESET Research, ESET

  • Subhasis

    On 24th February Microsoft issued a patch (KB967715) that is supposed to resolve “an issue in which AutoRun features were not correctly disabled”. This applies to xp sp2 & xp sp3. I don’t know if the method described here does not need this update in 100% of cases but it shows Microsoft at its worst. Just yesterday my friend gave me a memory stick with an Worm.Win32.AutoRun.mss with payload batch file Trojan-GameThief.Win32.OnLineGames.tdqz

  • lai

    thx

Follow Us

Automatically receive new posts via email:

Delivered by FeedBurner

26 articles related to:
Hot Topic
ESET Virus Radar

Archives

Select month
Copyright © 2014 ESET, All Rights Reserved.