Slashdot Mirror

← Back to Stories (view on slashdot.org)

US-CERT Says Microsoft's Advice On Downadup Worm Bogus

Posted by samzenpus on from the protect-yourself-at-all-times dept.

CWmike writes "Microsoft's advice on disabling Windows' 'Autorun' feature is flawed, the US Computer Emergency Readiness Team (US-CERT) said today, and it leaves users who rely on its guidelines to protect their PCs against the fast-spreading Downadup worm open to attack. US-CERT said in an alert that Microsoft's instructions on turning off Autorun are 'not fully effective' and 'could be considered a vulnerability.' The flaw in Microsoft's guidelines are important at the moment, because the 'Downadup' worm, which has compromised more computers than any other attack in years, can spread through USB devices, such as flash drives and cameras, by taking advantage of Windows' Autorun and Autoplay features."

9 of 290 comments (clear)

  1. Re:I'm a linux what's a worm? by idiotwithastick · · Score: 4, Informative
    Wikipedia says that the first worm spread through BSD UNIX. (1988):

    November 2: The Morris worm, created by Robert Tappan Morris, infects DEC VAX and Sun machines running BSD UNIX connected to the Internet, and becomes the first worm to spread extensively "in the wild", and one of the first well-known programs exploiting buffer overrun vulnerabilities.

  2. Comment removed by account_deleted · · Score: 5, Informative

    Comment removed based on user account deletion

  3. Re:Non-Windows User Here by syousef · · Score: 4, Informative

    Is it really true that you have to edit the registry to turn off autorun? There isn't any clicky? Amazing.
    No it's not true. There are lots of ways to do it. The registry editor is just installed by default and pretty simple if you already know how to use it. TweakUI is a free addon Microsoft Powertoy that's worth having and gives you some control back.

    http://www.annoyances.org/exec/show/article03-018
    http://antivirus.about.com/od/securitytips/ht/autorun.htm

    --
    These posts express my own personal views, not those of my employer
  4. Re:Even if it doesn't work... by afidel · · Score: 5, Informative

    The problem is the Microsoft solution doesn't really disable autorun fully because they didn't think of all codepaths by which the behavior can be launched. The solution CERT gives is beautiful in its simplicity:
    REGEDIT4
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
    @="@SYS:DoesNotExist"

    Basically it just associates autorun.inf with a NULL system function as the default handler.

    --
    There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
  5. Re: what's a worm? by http · · Score: 5, Informative

    Did nothing?? What planet were you on?
    The machine took out more than a lot of mail servers, bringing them to a grinding halt for the duration.

    --
    If opportunity came disguised as temptation, one knock would be enough.
    3^2 * 67^1 * 977^1
  6. Re:Non-Windows User Here by KindMind · · Score: 5, Informative

    The Register says that the US-CERT article is based on an old MS article, and has since updated.
    There's a right and wrong way to disable Windows Autorun
    How to correct "disable Autorun registry key" enforcement in Windows

    --
    Politicians complicate life - logic is sacrificed on the altar of political expediency.
  7. Re:Autorun has always been a vulnerability by Shadow-isoHunt · · Score: 4, Informative

    Limiting autorun to CDs or DVDs doesn't help, because U3 flashdrives come with a rewritable partition that appears as a CD drive, which is also read only. Google "usb switchblade"

    --
    www.isoHunt.com
  8. Re:Windows itself is a vulnerability. by betterunixthanunix · · Score: 5, Informative

    "Or you could, oh I don't know, not let morons near your computer?"

    Which is just not feasible sometimes. Every few weeks, someone I am working with -- yes, some of us must work with others on our computers -- brings me some files on a thumb drive. I have no choice but to plug that drive into my computer and deal with it, other than not getting my work done at all.

    "Putting them in a limited user account and putting a good AV to scan whatever folder they are downloading crap to usually does the trick."

    When I used to repair computers, I found that doing this invariably led to questions like, "Why can't I install [insert well known program name here]?" Windows systems really are not oriented toward this sort of security for single users who cannot just call up their helpdesk whenever they need some software installed.

    "If you put these types on OSX or Linux they would break just as much as they do on Windows. They would just be loading "Hot_Pron_codec.dmg" or "killer_tune.sh" instead of an .exe."

    Except that in OSX and Linux (and BSD and Solaris and all *nix systems) files have to be explicitly declared executable. A user receiving LatestPopSong.mp3.sh would just sit there confused and asking, "Why does it keep opening this song in a text editor? Why does my music player keep getting confused?" In distros that enable SELinux, you can have even more security -- for example, a policy that prevents programs which are not part of Firefox from writing to the Firefox configuration, which would prevent typical virus-installing-keylogger-in-web browser attacks that seem to be so common today; such a policy could be maintained by the distro packagers themselves; in fact, Fedora already gives the .mozilla/ folder a different context. Sure, you can create such a security policy in Windows, but it is not done by default.

    Yes, if administered by experts, Windows can remain secure even when connected to the Internet, I will not deny that. Most single user Windows installations are not administered by experts, and unlike big name Linux distros, Microsoft does not have thousands of people tuning the Windows security policies, nor do they have tens of thousands (perhaps hundreds of thousands) of people fixing bugs.

    --
    Palm trees and 8
  9. Re:You'll still have to keep ahead of the tide by mlts · · Score: 4, Informative

    I remember the days pre-Windows when UNIX vendors were cursed and sworn at because they didn't patch the latest bugs quickly.

    People will attack whatever operating system gives them the most bots for the buck. If the predominant OS is a UNIX, then it will be invisible .ko/.kext modules that will be the sysadmin's bane.

    Right now, there are two main attack vectors other than the PEBKAC "hole" and social engineering. The first, a direct attack on a machine, can be mitigated by a solid firewalling router, so an attacker has to deal with a hardened attack surface before touching the more chewy machines behind it.

    The second attack vector is the Web browser. It is in constant contact with untrusted code. To secure this beast takes more than just good defensive programming because even with a solid browser, a third party plugin might cause issues. It takes cooperation on multiple levels, where the OS has hooks to run the browser in a sandbox, but yet allow it to have upload/download functionality that users want. Vista's protected mode of IE7 is a great start, but all Web browsers need this protection, whether it be done by SELinux type profiles that exist in various Linux distros, or actual virtual machines that completely roll back all changes except to the bookmarks when the user is done and closes the browser session. Solving this problem will close a lot of potential security threats.

    Finally, autorun just needs to go, and be replaced by a different, more secure system. Autoplay can stay, but it should never run anything other than showing the root of a CD or DVD, or pulling up a media player if a CD or DVD is inserted. In no way should an executable ever be automatically executed by default. Its just too easy these days to make a U3 flash drive with a bogus CD partition with malware present.