If the latest National Cyber Alert System document from US-CERT can be believed, the W32.Downadup worm issue is even more serious as the Microsoft work around of disabling Autorun through registry is not disabling it completely.
An excerpt from the document is provided below:
Impact
By placing an Autorun.inf file on a device, an attacker may be able to automatically execute arbitrary code when the device is connected to a Windows system. Code execution may also take place when the user attempts to browse to the software location with Windows Explorer.
Solution
Disable AutoRun in Microsoft Windows
To effectively disable AutoRun in Microsoft Windows, import the following registry value:
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
@="@SYS:DoesNotExist"
To import this value, perform the following steps:
Copy the text
Paste the text into Windows Notepad
Save the file as autorun.reg
Navigate to the file location
Double-click the file to import it into the Windows registry
Microsoft Windows can also cache the AutoRun information from mounted devices in the MountPoints2 registry key. We recommend restarting Windows after making the registry change so that any cached mount points are reinitialized in a way that ignores the Autorun.inf file. Alternatively, the following registry key may be deleted:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
Once these changes have been made, all of the AutoRun code execution scenarios described above will be mitigated because Windows will no longer parse Autorun.inf files to determine which actions to take.
I haven't personally tested any of these work arounds. Will be adding up here as I dig more in to this.
References :
http://www.cert.org/blogs/vuls/2008/04/the_dangers_of_windows_autorun.html
Nick Browns blog: Memory stick worms - <http://nick.brown.free.fr/blog/2007/10/memory-stick-worms>
No comments:
Post a Comment