Slashdot Mirror
US-CERT Says Microsoft's Advice On Downadup Worm Bogus
CWmike writes "Microsoft's advice on disabling Windows' 'Autorun' feature is flawed, the US Computer Emergency Readiness Team (US-CERT) said today, and it leaves users who rely on its guidelines to protect their PCs against the fast-spreading Downadup worm open to attack. US-CERT said in an alert that Microsoft's instructions on turning off Autorun are 'not fully effective' and 'could be considered a vulnerability.' The flaw in Microsoft's guidelines are important at the moment, because the 'Downadup' worm, which has compromised more computers than any other attack in years, can spread through USB devices, such as flash drives and cameras, by taking advantage of Windows' Autorun and Autoplay features."
I thought worms only lived in the dirt and my dogs ass
Proudly Butchering code for 20 years
Why is this considered news? Microsoft's security recommendations have never been taken seriously. We're supposed to still not take them seriously? Ok. But not news, as, obviously, this is nothing new. Obviously.
Anyone that willingly continues to use it for anything except as a non-Internet connected game machine deserves whatever they get.
Microsoft supplied the software that allows people's computers to become infected, then gave them false information leading them to believe they're safe, when they're not really.
Suspicious...
Follow me
Is it really true that you have to edit the registry to turn off autorun? There isn't any clicky? Amazing.
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
Would like to see a worm disable some of Microsoft's DRM and see how fast they come out with a working patch.
Doctors destroy health, lawyers destroy justice, universities destroy knowledge, religion destroys spirituality
I am asking Slashdot because you are very intelligent beings?
It makes me feel a bit dizzy every time I think that this "feature" is enabled by default. It's a feature in the same way that an online banking system might feature login without a password, "just type your name to instantly access your account!" It saves the user a tiny hassle against an opportunity for absolute catastrophe.
Autorun is high on my list of stuff to disable very shortly after installing a fresh copy of Windows.
And it's not like it's a secret that this is a vulnerability. There's a reason Apple abandoned this capability when it moved from OS 9 to OS X.
Microsoft deserves derision for continuing to offer and promote this feature.
If Microsoft can't be bothered by it, nor convinced it's a very, very, bad idea, then autorun should at be limited exclusively to CDs and DVDs. That would merely be a terrible idea, as opposed to a downright catastrophic one.
Does Windows Vista or Window 7 handle this differently than XP??
break?
Yet another reason I am glas I run a vierually 100% secure OS where such stuff can never happen. Ever.
Comment removed based on user account deletion
Even though autorun is like one of the dumbest ideas ever, MS thinks of it as a COOL FEATURE and disabling it is going to break the COOL AUTOMATION that they have sold your grandma, who will no longer be able to just plug her camera into the computer and have it do its thing automatically. Their users might have to THINK which we all know is a bad thing, especially if you are thinking about how well your Microsoft product works.
Brackets contain world's first nanosig, highly magnified:[.]
Disable Autorun anyway, because it's fucking annoying.
"by taking advantage of Windows' Autorun and Autoplay features"
well no, not really.
Granted, they take advantage of the fact that...
1. there is an autorun feature. Is that so horrible? Probably not.
2. that the autorun feature pops up a display letting the user choose what to do (i.e. run the program, browse the drive, view pictures if it finds them, etc.). Again, not so bad.
3. that the autorun feature lets you customize the icon. Okay, things get a little hairy here - it's nice when the icon fits the program, but this malware uses the icon of... a folder. Just like the 'browse the disc/device' icon.
4. that the autorun feature does not have a -clear- distinction between what are autorun directives (run the program), and what are windows' built-in features (browse the drive).
The fourth is nearly inexcusable and if handled well, it would alleviate the third as well - just put a big red border around the darn thing (is one option, anyway).
In the end, though, it doesn't exploit 'autorun' directly - it exploits the fact that many users will think that the option with the folder icon with (misleading) description is the regular 'browse drive' option and click it carelessly.
Why did neither MS or CERT suggest the use of TweakUI to turn off Autorun?
The real "Libtards" are the Libertarians!
Why does Microsoft make it so difficult to disable auto-run? I understand that many customers may like the feature, but why not a simple control panel entry to stop it? Is it somehow tied with DRM for playing videos? I'm not just griping - they must have some reason for this, anyone know what it is?
Seriously, what are you talking about? I see a lot of "Vista's evil DRM," tossed around, and very little in the way of specifics to back up what it does, which of course leads me to think the people doing the talking don't know what they are talking about.
So what DRM do you want to see disabled? Are you talking about HDCP, the DVI encryption? That's not MS's standard, by the way, DVD and Blu-ray players are where that's from. However, it is one of those things that you don't have to use if you don't want to. I have a Vista system connected to a monitor which has HDCP turned off (professional monitor, you can change the state manually). Means if the system required HDCP, I'd get no image. But it works fine. Reason is, HDCP is only required by Blu-ray playback software. Now you could disable it on the system, I suppose, but that'd gain you nothing. The software would just refuse to play. It wasn't as though MS said "Let's include this to fuck people." Rather it is required if you want to license Blu-ray playback.
So again, what DRM are you talking about? I'm tired of all this bitching from people who don't know what they are saying. If there is something in particular you object to, let's here what and why. Otherwise, please stop going on about thing you don't understand.
Did nothing?? What planet were you on?
The machine took out more than a lot of mail servers, bringing them to a grinding halt for the duration.
If opportunity came disguised as temptation, one knock would be enough.
3^2 * 67^1 * 977^1
Many Microsoft screw ups could be managed by changing its default settings, but unfortunately Windows caters to Grandmothers who can't follow complicated instructions such as go to run, type d:\start.exe, much less mount /dev/hdc -t iso9660 -r /cdrom, or sudo apt-get install omgponies. What really pisses me off is that the simple tools for managing common system administration is not even included with the home version, which is the version that needs the admin tools because it is more likely to be infected due to the default settings. The group policy editor is how you should disable autorun, but it isn't included with XP Home. If it were included it would be more like XP Pro, which should be their lowest version. They should have an XP tech version that allows you to increase TCP connections, and import policies without Active Directory, and allow more that 10 SMB connections, and be able to update other XP boxen with its own installed Windows patches. Oh well, at least I don't always have to tell my Mom to find My Computer, then the D Drive, which she cannot do. I just tell her to insert the damn disc. So what's my solution to this whole fiasco? ESET Nod32. Pay for it and update it. It's not perfect, but what is?
Comment removed based on user account deletion
Perhaps it's more accurate to say that the Morris Worm did not carry a destructive payload. It's true that it brought down more than a few servers, but that was only because it spread so rampantly without -- as with many modern worms -- any kind of rate-limiting logic.
Even more suspicious is that this bulletin suggests there is a security flaw in the world's most secure OS, Vista. Clearly, the boys at CERT are on crack.
he halts pay increases while spending more tax payer money than any other president on his own inauguration. where i come from that's called grandstanding. he's just a fucking fraud and his supporters are bitches and faggot liars.
How true. IIRC, it was meant to gather information, not destroy it. I also recall that rate-limiting logic was present, but with such bad numerical assumptions as to be bogus.
If opportunity came disguised as temptation, one knock would be enough.
3^2 * 67^1 * 977^1
Just install the update that Microsoft released in October?
Your Etch A Sketch sounds very nice. I am glas you posted this. I wonder if a spell checker can be vierually installed for you and your 100% secure OS. Ever.
P.S. Shake it good and it will go away.
You are lucky, Ed Gruberman. Few novices experience so much of Ti Kwan Leep so soon.
I have not heard of such a company. Surely it must be a nom de plume for everyone in /. !
If they don't support it, they can't play Blu-ray (and HD-DVD before that went under). Ok well what is the average consumer going to do: Blame the AACS-LA, or which ever nebulous industry licensing authority is responsible, or blame the OS maker?
Goes double since the media industry doesn't have to knuckle under. Remember most people watch movies on their TVs. While it isn't a trivial amount who watch on computers, it isn't the majority either. Thus they can get away with just selling to people with players while users scream at MS for "not supporting HD". Besides, you know Apple would (they do) and would use it as a marketing point.
So I see their choice as the correct one. It gives the consumers the most options. The OS works just fine with no HDCP unless it is demanded. If it is demanded, it is supported.
Besides, you can just as easily argue that nVidia, ATi and Intel should have killed it. If the graphics adapter doesn't support it, it's a moot issue. However they do.
You ignore an important assumption of the post you reply to, that the blackhats are aware that their target population, "those types", have migrated to Linux, and have started to target them there.
Currently there is no point to doing that, because of the very limited use of Linux by such users.
When "those types" are all using Linux, you'll need to install Plan9 or something equally exotic in order to attain the same level of security you have on your 4 Linux desktops now. Even that might not work, because in all probability (because of the way open-source works), your Plan9 installation will share applications like browsers and mail clients with the current mainstream Linux desktops.
OTOH, I still think the 4 Linux desktops will be more secure than WinXP is now, even after becoming mainstream, because more people will actually care about making them secure. You see, Microsoft currently doesn't care that much about how secure Windows is, because any security vulnerability in it is mostly an externality to them economically, they only lose a bit of reputation. So I'm fairly sure that the large group of volunteers trying to secure Linux is actually more motivated, and hopefully at a time when Linux is mainstream there would (hopefully) be even more effort being invested in securing it (of course, with the "too many cooks" effect and all, you cannot be sure this will help).
Of course, if we ever get to a future where Linux is as (or more) mainstream than Windows, what I said about Microsoft seeing security as an externality will no longer be true. So predicting the future here is about as easy as predicting the stock market.
...and the periodic screams of horror as people realise that they got taken in by "even faster and even more secure" AGAIN, provide a good one.
How many iterations of Windows is it now?
And every time the same crap. Every time they promise that "this time we've got it right" and every time they haven't.
This isn't Stockholm Syndrome this is closer to a Loony Tunes cartoon. Maybe Ballmer should appear at a press conference with a hand held sign with "This is silly!" written on it.
Yes, and I love Vista's audio system ... It does high quality (32-bit floating point) software mixing of all audio streams. ... Likewise, you can control the volume on individual apps ... It's resampling engine is also great. It opens up the sound card in the mode you tell it to, and resamples all audio to that.
Darn it! You're making me like Vista! I'm feeling myself turning into another Windows zombie now.
(in a Borg voice) Come use Vista ... there is nothing to fear ... you will be assimilated (into the 90% "Windows" users).
chkrootkit, tripwire, clamav, shorewall, john-the-ripper, and snort run on a lot of systems considered super secure by their users.
Some people consider their systems super secure because they know they are not they guess they are.
The question on freebsd-security a few years ago was what was the best way to avoid denial of service attacks if you are logging to lpr. (one of the obvious suggestions is do not log repeated messages, just the number of times the message has repeated. this will increase the work required to kill your server by running through all the paper and hanging until more boxes of paper are fed to the printers.)
That was the same list that made me realize that you should not have passwords on multiuser systems, or servers in general.
Do you really think that people use passwords like this
makepasswd --char=32 --count=10
CLWwBsm1c15IFadg4KTjrHhCBjFP8RNI -- for slashdot
RLQaXqSEfRHgLnwjjbgoJU5y4Uya2hM6 -- for gmail
NebgFMATH990vB8US8CE4zMgeR7uum02 -- for Administrator
SFa0qT5nIQuLYtTsq44I8336ghEBApiD -- for user account
smcruMr8rzE6PFHzus8AmPcIoKNFy0Rh -- for facebook
L6wynpgAHoINdQm2CWwXdfSiJrBzQ8YG -- for myspace
Q3D1JBVXtgPNNo4bm16WAcKPMhox8s6C -- for banking
L1hEhuisoFcnoyGEYxPYqW8Hq4Qs2EmY -- for retirement account
2RqaobNEKyQIIoUVoFPty6EruLQhVE0F -- for work login
s0zJFsLiWCSN0e5fCEvpi48GV4D0PjyH -- for paypal
Phishing sites are one of the best ways to effectively get the information and tools needed to illicitly act on behalf of someone else.
At some point public key logins via ssl will become the norm, until then, passwords will be the week point in most systems.
Realize that even though debian had the ultra limp ssl keys generated it was still seems to be more productive to use password guessing than trying to try brute forcing an almost known key. Passwords suck that bad.
I would not be surprised if a sizable number of systems (more than 10%) in Arizona could be broken into this week with a dictionary attack of:
cardinals
cardina1s
Cardina1s
For those that want an analogy, imagine zoning laws that required NORAD style doors on all buildings and twenty percent of the population deciding that it is stupid and refusing to lock their doors. You would have a situation similar to the computer landscape today.
Work bio at MMWD
The summary does provide the very same link to US-CERT.
Colorless green Cthulhu waits dreaming furiously.
We use a WSUS server to roll out updates to all our clients here and I can't find this patch for love nor money. Is there anybody running WSUS who's successfully rolled out this patch?
The CERT article says this has been updated in a security release from July 2008, the download KB950582 was released in August 2008. I find it very worrying that I can't find any trace of this on our update server. It makes me wonder what other security patches Microsoft haven't made available.
the legitimate sites that have been compromised that install junk on a users workstation or steal data. You cant blame the users for going to dodgy websites when there are compromised legitimate sites.
"The hands that help are better far than lips that pray." - Robert Ingersoll (1833-1899)
I want to pass contacts just one web link to help them decide: -have I got it already? -if I have, what do I do next? -if I have not, how do I avoid getting it? They all have AV, and most are on auto-update, but they need reassurance (and I couldn't ask them to edit the registry or tussle with TweakUI). I do not see anywhere a single point of contact for unsophisticated users with the above reasonable questions. And has anyone said that running the Microsoft update will remove *existing* infections?
that still leaves out 95% of the population;-)
Holy Cow, are you saying that if there's a CDFS partition on the drive, the program specified by autorun.inf will run *regardless* of any settings?
Wow. I guess that "feature" will be coming to the next evolution of Conficker in, say, some time in the next 5 minutes?
As technology accumulates, the hatred between people tends to decrease. - Steven Pinker
Unfortunately KB950582 was not classified as a required security patch for Windows XP, and consequently not included for distribution in Windows Update or WSUS.
Thanks. How do you find out if updates like this are available through WSUS, or whether Microsoft has decided they're not important? I couldn't see anything in the update description to distinguish it from all the other security (and other) updates that are available.
And I guess my next question is how important is this? We disable autorun via group policy already, what exactly is missing without this patch?
The US-CERT article might have linked to an old MS article that doesn't work, but the new one doesn't work either. It requires users of Vista, for instance, to use Gpedit.msc. Type it into your search bar and run it, it says.
Vista Home Premium (and less) does not contain Gpedit.msc. I mean, for f**k's sake.
Autoplay and Autorun (along with hiding file extensions by default) are reasons that Microsoft still does not take the safety of the users of its software seriously.
Maybe this crap will rid us of Auto(play/run) forever? (I can hope.)
Corporation, n. An ingenious device for obtaining individual profit without individual responsibility. - Ambrose Bierce
Why link to a computerworld article about CERT's advice when you could link directly to the CERT article?
You must be new here.
Free Martian Whores!
Although it is definitely a good idea to install the patch it will neither guarantee that no host in your environment gets infected nor does it guarantee that it will not spread within your network.
The worm propagates not only via the SMB vulnerability but also via autostart.inf on removeable media and network shares and tries to brute force your Admin$ shares with the Administrator account.
So, disabling autostart is indeed a very good idea additionally to patching the SMB vulnerability.
... don't add up.
In an alert issued on Monday, US-CERT said Microsoft's instructions on turning off Autorun are "not fully effective" and "could be considered a vulnerability."
[several paragraphs later]
Instead, users should make a different modification to the Windows registry, US-CERT said. In the alert, it gave the new value as well as instructions on how to copy it to Windows Notepad and import it into the registry.
Hey, Computerworld editors (and to whomever else it may concern): when you finally tell the reader that the alert contains information the user wants to know, it might be a good idea to link to that source again so the reader doesn't have to search back in the article to find the previously supplied link. Further, I'd suggest using a link to the named anchor when available where the solution is provided to make it even easier.
Oh, say does that Star-Spangled Banner entwine / The myrtle of Venus with Bacchus's vine?
TweakUI is just a GUI frontend for registry settings. The TweakUI setting for AutoRun/AutoPlay is just setting the value for the NoDriveTypeAutoRun registry key, which does not work properly, as outlined in the alert.
Kudos to whomever it was at US-CERT that had the balls to take on Microsoft on this. I thought all US-CERT stuff about Windows had to be filtered through the Microsoft PR department, but this gives me some new respect for the organization.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
and it doesn't work. For folks wanting to do this on hundreds of machines: .reg file clicky method, the value that the data gets written to is (Default), not @. When reg.exe is used and @ is the target, a @ value gets created, and (Default) is blank. Using "(Default)" for the value with reg.exe creates a new (Default) entry, so there are two (Default)s in the registry. Nice. The trick is to use an empty value (/ve). So, a good reg.exe looks like:
/ve /d "@SYS:DoesNotExist"
When using "@" as the target value name with the GUI
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf"
Then it works. It would have been nice if the CERT folks had explained in detail the magic that the "@" in their registry file did; not all of us are Windows gurus.
We disable autorun via group policy already, what exactly is missing without this patch?
The ability for the autorun-disable GPO (or registry setting) to _actually_ disable autorun. The buggy GPO/registry settings disabled the auto-popup, but when you double-click on a drive in "My Computer", Autorun.inf is still accessed, and the executable it references is still run. If the executable uses the standard drive icon or folder icon, many people won't think twice about double-clicking versus right-click-open.
Hmm, in that case I might be ok. Double-clicking on a CD-ROM in My Computer just opens the folder with this policy in place, and the Autorun entry is completely gone from the right-click menu.
I wonder if there's been a stealth patch somewhere. I read that this *is* deployed for Vista & Server 2008 as part of another patch, so I wonder if it snuck in.
It doesn't seem to be required for Vista either. Manual download and installation required.
For those of us who were doing computing in the early 90s, USB-propagated viruses shouldn't be any surprise; they're just a rediscovery of the floppy disk viruses that used to be so popular. After all, it's a way to move files between machines, and also a way to move file systems with arbitrary contents that the operating system looks at before the user does. So if the OS is vulnerable, or if the files are opened by programs that treat data files as executable code, then you're open to trouble.
The "Jerusalem B" virus showed up a year before the Morris Worm. It was the first PC virus I met in the wild, around 1990, when a coworker's PC got infected by a floppy he brought in from home, where his home PC was infected by a floppy his kid brought home from school or from the kid's friends, probably with some pirated game software.
Most of the files people move around on USB sticks where I work are Microsoft Office documents, either Powerpoint or Word, and the most common time they're used is between a sales person and a customer, for instance to hand off an electronic copy of an RFP (too big to email), or to hand off a Powerpoint presentation to the person running a projector at a meeting (because the customer's LAN or wireless doesn't support adequate guest access for the sales person to connect to his email system and email it, or just because it's faster.)
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
The second article (the one on NoDriveTypeAutoRun) is actually for how to disable AutoRun. The problem is that even Microsoft themselves conflates the terms AutoRun and Autoplay. If you look at the article, you will notice that it was written for Windows 2000. AutoPlay was not introduced until Windows XP. So basically, you've got an article that uses the term "Autoplay" before the feature was released or publicly known.
So although the NoDriveTypeAutoRun article uses the term "Autoplay," it should be interpreted as meaning "AutoRun." The setting does not disable AutoPlay as most people understand it (the menu with multiple choices as for what to do with a plugged-in device). Now, the main issue here is that the article is not accurate, as Windows does not actually fully obey the setting unless a special update, which is not automatically deployed via Microsoft Update for all systems, is installed.
Did Downadup/conficker attack your network? I've created a batch file for system administrators to clean/patch/cure infected systems in their networks. check it out here: http://extremesecurity.blogspot.com/2009/01/beat-downadupconficker-like-pro-my.html
System -> Preferences -> Removable Disks and Media -> un-click Auto-run and Auto-open.
There. Easy, ain't it?
Off course that's on Ubuntu.