Microsoft advice on plugging security hole is flawed
Recently, I posted about the “Downadup” worm as well as about the general security problem with the Windows Autorun function. Related to this problem was a post where I gave procedures recommended by Microsoft for disabling the Autorun feature and the related Autoplay.
Now the U.S. Computer Emergency Readiness Team (US-CERT) is reporting that the Microsoft recommended procedure for Registry changes is not adequate. At Computerworld, Gregg Keizer writes:
Microsoft Corp.’s advice on disabling Windows’ “Autorun” feature is flawed, the U.S. Computer Emergency Readiness Team (US-CERT) said today, and it leaves users who rely on its guidelines to protect their PCs against the fast-spreading Downadup worm open to attack.
In an alert issued on Monday, US-CERT said Microsoft’s instructions on turning off Autorun are “not fully effective” and “could be considered a vulnerability.”
The flaw in Microsoft’s guidelines are important at the moment, because the “Downadup” worm, which has compromised more computers than any other attack in years, can spread through USB devices, such as flash drives and cameras, by taking advantage of Windows’ Autorun and Autoplay features.
The US-CERT site gives a detailed discussion of the problems with the Autorun fix given by Microsoft. The discussion may be more than average PC users want to read but the solution recommended by US-CERT is the Registry edit given below. It disables the parsing of auto.inf files, which are what triggers autorun. (I’ll write more about auto.inf in a future post.) The recommended Registry edit can be implemented by the REG file:
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
@="@SYS:DoesNotExist"
Microsoft has just posted a revised Knowledge Base article, How to correct “disable Autorun registry key” enforcement in Windows, which contains updated procedures.
Incidentally, there are reports that as many as 20 to 30% of Windows computers may be infected by this worm. I do not know the validity of these numbers.
The average home PC owner should make sure that all Microsoft security updates have been installed and should exercise vigilance about running any unfamiliar USB drives or optical disks. If you are willing to disable Autoplay, download one of the fixes given in the Microsoft article mentioned above.
Addendum: This worm is also called “conflicker”.
Did you enjoy this post? Why not leave a comment below and continue the conversation, or subscribe to my feed and get articles like this delivered automatically to your feed reader.
Comments
No comments yet.
Sorry, the comment form is closed at this time.