Microsoft's instructions for disabling AutoRun don't work
US-CERT has published a Technical Cyber Security Alert warning of problems with disabling the Windows AutoRun/AutoPlay functions. It seems that the method described by Microsoft, of configuring the AutoRun
and NoDriveTypeAutorun
registry keys, doesn't completely disable the AutoRun and AutoPlay functions. When they are completely disabled, a program on a mobile storage device will not run as soon as the device is connected, nor will the AutoPlay dialogue pop up with suggestions for further steps.
Several sources report that the Conficker worm, now going around, is exploiting the incorrect configuration of the AutoRun and AutoPlay functions, by inducing users to run the worm when they plug in an infected USB stick. The worm brings up a fake icon in the AutoPlay display that may fool an unwary user into clicking it, thinking they are opening a folder, but instead they are unleashing the worm.
Microsoft has confirmed the problem, and has pointed to a Knowledge Base article describing the vulnerability that has been available since March 2008 and also contains links to updates for Windows 2000, XP and Server 2003 to correct the error and set the correct key. US-CERT says that update MS08-038 has already eliminated the error in Vista and Server 2008, and its report gives its own workaround to fix the problem.
See also:
- Microsoft Windows Does Not Disable AutoRun Properly, Technical Cyber Security Alert from US-CERT
- How to correct "disable Autorun registry key" enforcement in Windows, support article from Microsoft
- F-Secure now claims nine million Conficker infections, report at heise Security UK
(djwm)