US-CERT: Microsoft's advice on Downadup is flawed

Instructions for disabling Windows' Autorun are flawed, security group says

Microsoft's advice on disabling Windows' "Autorun" feature is flawed, the US Computer Emergency Readiness Team (US-CERT) said Wednesday, and leaves users who rely on its guidelines to protect their PCs against the fast-spreading Downadup worm open to attack.

In an alert issued Monday, US-CERT said Microsoft's instructions on turning off Autorun are "not fully effective" and "could be considered a vulnerability."

The flaw in Microsoft's guidelines are important at the moment, because the "Downadup" worm, which has compromised more computers than any other attack in years, can spread through USB devices, such as flash drives and cameras, by taking advantage of Windows' "Autorun" and "Autoplay" features.

Autorun, the focus of the US-CERT warning, lets Windows automatically run any program specified in the "autorun.inf" on, for example, a CD or a flash drive, as soon as the disc or device is inserted or connected. By default, Windows has Autorun enabled.

The problem is that Downadup, which as of last week had infected nearly 9 million PCs worldwide, tries to spread using USB-based devices, typically flash drives. The worm creates an autorun.inf file at the root directory of any USB-based device it finds connected to the infected machine, then when that device is later connected to an uninfected computer, the autorun.inf file copies the worm to the machine without any action on the part of the user, or the user even knowing.

The result: another PC hacked by Downadup.

Although Microsoft has not formally recommended that users disable Autorun as an anti-Downadup measure, most security companies and researchers have in light of the autorun.inf infection vector. Acoording to US-CERT, Microsoft's advice is useless.

"The 'Autorun' and 'NoDriveTypeAutorun' registry values [specified by Microsoft] are both ineffective for fully disabling Autorun capabilities on Microsoft Windows systems," the organization said. "Setting the Autorun registry value to '0' will not prevent newly-connected devices from automatically running code specified in the Autorun.inf file. It will, however, disable Media Change Notification (MCN) messages, which may prevent Windows from detecting when a CD or DVD is changed."

Likewise, the recommended '0xFF' setting for the NoDriveTypeAutorun registry entry, which Microsoft says "disables Autoplay on all drives," won't protect users from infection if they happen to double-click on the drive's icon in Windows Explorer, said US-CERT.

Join the newsletter!

Error: Please check your email address.

Tags downadupcert

More about CERT AustraliaMicrosoftnCirclenCircle Network SecurityVIA

Show Comments