Last Updated: 2009-02-26 20:46:47 UTC
by donald smith (Version: 2)
Microsoft released a patch to correct the "disable autorun registry key" enforcement.
Updates are offered for the following OSes:
* Microsoft Windows 2000
* Windows XP Service Pack 2
* Windows XP Service Pack 3
* Windows Server 2003 Service Pack 1
* Windows Server 2003 Service Pack 2
The US Cert released an announcement stating that "Microsoft Windows does not disable AutoRun properly" back on January 20th.
"Disabling AutoRun on Microsoft Windows systems can help prevent the spread of malicious code. However, Microsoft's guidelines for disabling AutoRun are not fully effective, which could be considered a vulnerability."
The Conficker worm spreads via autorun and we have run several diaries about autorun issues.
Conficker -> http://isc.sans.org/diary.html?storyid=5695
PictureFrame malware -> http://isc.sans.org/diary.html?storyid=3817
PictureFrame Malware2 -> http://isc.sans.org/diary.html?storyid=3807
UPDATE: A reader (Thanks Michael) wrote in saying that he was using xp home edition and was unable to follow the directions in microsofts KB article about using gpedit.msc to create a group policy. He is correct. XP home can't run gpedit.msc. XP home users need to follow the "How to selectively disable specific autorun features" steps. I recommend you modify the NoDriveTypeAutoRun value to 0xFF. That should disable autorun on ALL drives.