Site Network: | | Jongsma & Jongsma

Innovation in Information Security

Coverage of important Information Security and Information Technology news and events from the research team at S?nnet Beskerming.

Username: | Password: Contact us to request an account

AutoRun To Be Disabled, But Not Completely

AutoRun is an innovation that over the years has been a blessing and a curse for computer users. The Windows feature that allows software to start automatically when removable media is attached to / inserted into a Windows machine has made life easy for many computer users who would be lost without having software to guide them through an installation process or other use of material on the storage medium. The downside is that, since other software can be run through this capability, it was only a short period of time before it began being abused for malware installation. While AutoRun has been around for a number of years, it is still being used as part of installers and malware spreading mechanisms even today. Conficker, the worm that has attracted the most attention over the last six months uses AutoRun capabilities to aid in its spread, using it as an alternative infection mechanism to targeting the MS08-067 vulnerability over a network.

Microsoft has recently moved to turn off Autorun for good, at least for media that isn't optical (of-course malware can be inserted on CD-R media as easily as it can CD-RW). This change is being sold as a means to address changes in the Threat Landscape, but with AutoRun malware having been around for a number of years, it is the recent spike in popularity of malware using it as an infection route that has led Microsoft to make this decision. It would have been nice for end users if this had been done some years ago, before it became too much of a security problem (Microsoft provides graphs showing a significant uptick over the last 18 months), but at least something is being done slowly now.

The downside for most users is that this feature will be making it into Windows 7, and not for the current versions, though there are readily available registry fixes that can disable AutoRun for existing Windows versions. Microsoft has indicated that they are planning to release fixes for Vista and XP to bring this improvement to those systems as well.

Many system administrators have tried to keep AutoRun disabled over the years, but found that patches from Microsoft would strangely re-enable it from time to time. Until Microsoft releases the changes for Vista and XP, there are plenty of sample Registry fixes that can easily be found online which can be applied to temporarily disable AutoRun for these systems.

As good as the change seems on the surface, the detailed explanation of what is being done is less promising than it is being made out for. The primary change, of modifying AutoPlay to ignore AutoRun information on non-optical media will prevent the confusion-based social attack that Conficker is currently using, where the AutoRun information presents identical to a subsequent core Windows option, the only difference being it presented as "Install or run program", and not as "General options", which is the core Windows function category.

The second part of the change, primarily for optical media is that the "Install or run program" option is renamed to "Install or run program from your media". With some thumb drives capable of reporting as optical media, and Microsoft's decision to treat such media as optical media, adding three little words isn't going to stop the infection mechanism that is in use. Why is Microsoft allowing some USB mass storage devices to be treated as optical media is because this determination is made at the hardware level and is something that should be next to impossible to spoof through the data on the drive. Assumptions like this have been shown to be false in the past and it is a question of how much time it will be before a means to work around this limitation can be found, either through introducing a mini-partition on the thumb drive that identifies as optical media, or through some other technique.

Keeping this feature around for optical media isn't going to stop malware like the Sony/BMG rootkits that were installed silently from some audio CDs. What it will do is severely limit the usefulness of USB devices like photoframes, thumb drives, cameras, CF cards, and some external hard drives for the average user. Time will be the true test as to whether the computer skills of the average computer user have improved to the point that disabling AutoRun isn't going to hinder their normal use of a system.

1 May 2009

Social bookmark this page at eKstreme.
Alternatively, Bookmark or Share via AddThis

Do you like how we cover Information Security news? How about checking out our company services, delivered the same way our news is.

Let our Free OS X Screen Saver deliver the latest security alerts and commentary to your desktop when you're not at your system.

Comments will soon be available for registered users.