Newsletter Archives

• Microsoft will disable AutoRun and change AutoPlay

  Posted on April 30, 2009 at 06:48 CDT by woody • Comment in the Forums

  Remember all the angst over Windows AutoPlay and AutoRun? (For a detailed discussion of the differences between AutoPlay and AutoRun, start with this Wikipedia article.) AutoPlay was a major infection vector for Conficker. It’s always been a huge security hole in Windows.

  Microsoft just announced that it’s disabling AutoRun in Windows 7, and changing the way AutoPlay works. The details are a bit hard to follow – the terminology is more than a bit obfuscating – but here’s what’s happening:

  As I explained in my Windows Secrets column in January, it’s very easy to create a file called autorun.inf that can confuse the living daylights out of people. If you stick this custom-made autorun.inf on a USB drive or burn it on a CD, the commands in that file will cause Windows to display a (potentially infective) program on the AutoPlay menu, the menu that appears every time you insert a USB drive or CD into your computer (see screen shot).

  In fact, autorun.inf controls what appears on the AutoPlay list if you stick it on any kind of removable media – USB drive, CD, DVD, SD card (so a card from your camera could infect other computers), and so on.

  Microsoft is changing Windows so it behaves in two different ways, depending on whether the autorun.inf file is stuck on (1) a CD/DVD, or (2) any other kind of  media, notably a USB drive or SD card.

  In the future, when Windows finds an autorun.inf file on a USB drive or SD card, it ignores the file. Nothing happens. You can create the most diabolically clever autorun in the history of mass infections, put it on a USB drive, and if someone sticks the drive in a properly patched Windows machine, it won’t do squat. AutoPlay doesn’t list anything from the autorun.inf, and nothing runs automatically.

  In the future, when Windows finds an autorun.inf file on a CD or DVD, it shows the contents of the autorun.inf in the AutoPlay window, but the new, revised AutoPlay window warns you that the entry associated with autorun.inf is from the CD, not from Microsoft. The AutoPlay warning says “Install or run program from your media.”

  And no matter where the autorun.inf file comes from, it can’t launch its own program. You have to do the clicking – point the gun at your own foot and pull the trigger.

  The recently leaked Windows 7 Release Candidate, which should be widely available next week, already has those changes to AutoRun and AutoPlay. In addition, says Microsoft, “we are planning to release an update in the future for Windows Vista and Windows XP that will implement this new behavior.”

  It’s about time.

  Oh. There’s one little caveat. For those of you who suffer with U3 – the technology built into some USB drives that makes part of the drive look like a CD drive – Microsoft hasn’t figured out how to treat the whole USB drive like a USB drive. Instead, the CD part will be subject to the same handling as a CD. Quoth the Softies, “It is worth noting that some smart USB flash drives can pose as a CD/DVD drive instead of standard ones (see Wikipedia for an example). In this specific scenario, the operating system will treat the USB drive as if it is a CD/DVD because the type of the device is determined at the hardware level.”

  Windows Patches/Security autoinf, autorun, Conficker, u3, Windows 7

• Shift on autologous transfers?

  Posted on March 23, 2009 at 22:45 CDT by woody • Comment in the Forums

  Reader MA writes:

  You recommend using the “shift key workaround” when inserting memory rather than installing KB 967715. That makes sense for memory that may have been used on a variety of systems but do you extend the recommendation as well to memory that has been used only on one’s OWN system?

  No need to use the shift key if you’re re-inserting a USB drive or SD card that’s never seen another system. If your machine’s clean, the memory will be clean, too.

  Windows Patches/Security AutoPlay, autorun, USB drives

• What’s with the Shift key?

  Posted on March 18, 2009 at 06:16 CDT by woody • Comment in the Forums

  Reader M writes:

  “…. Hold down the Shift key when you put anything into your computer. …”

  Besides the obvious gymnastics involved in this, what is holding down the shift key supposed to do to defeat the worm if it’s on the flash drive?

  Holding down the Shift key prevents Windows from automatically running whatever it’s supposed to run automatically. In the case of a Conficker-infected USB drive (or camera memory card), holding down the Shift key will prevent the worm from putting a very confusing message on your desktop that may easily trick you into allowing the worm to infect your machine.

  In general, it’s a good idea to hold down the Shift key and open the drive (or memory card) manually, by clicking Start, Computer (or My Computer), then right-clicking on the USB drive (or memory card) and choosing Explore.

  In a similar vein, JB writes:

  [W]hen you talk about holding down the shift key when you install a cd or dvd, how long do you hold it down?

  I bought some blank DVD+R to make backups for my computer. Do I hold the shift key down when putting a blank DVD+R in?

  When you hold down the Shift key, you need to keep it down long enough for Windows to recognize that the drive’s in the slot, and then have it realize that it shouldn’t do anything. Ten seconds should do the trick.

  No need to hold down the shift key when you insert a blank CD-R or DVD-R – as long as you know that they’re blank.

  Other autorun, Shift key

• What to do about KB 967715?

  Posted on March 17, 2009 at 06:45 CDT by woody • Comment in the Forums

  Reader TJ writes:

  Currently I’m a bit fuzzy on your recent post on KB967715 as whether to install now or wait. I do use the “shift” key, but am not clear as to install now or not. Could you please be a bit more specific on this in one of your next blogs? ( have to remember, I an xp dummy—-lol).

  Good question.

  Right now, I recommend most users remember to push the Shift key when inserting any kind of memory into an XP computer – USB drive, the SD card from your camera, even a CD or DVD.

  People in a corporate environment aren’t so lucky. Companies can’t expect eveybody to hold down the Shift key – and they’re paying for it.

  The definitive articles on the topic, in my opnion, are the two Susan Bradley wrote for Windows Secrets Newsletter. Her March 5 Top Story AutoRun patch a long time coming for XP users describes the patch and its shortcomings. Her March 12 follow-on article Microsoft flubs a way to disable AutoRun in XP tells you where Microsoft went wrong – and how to fix it.

  The bottom line is that it’s a LOT of work to get XP to disable AutoRun. Ain’t worth the effort for people who are smart enough to hold down Shift. But you HAVE to remember to hold down the Shift key every time you insert memory.

  Uncategorized, Windows Patches/Security autorun, KB 967715, Shift key, Windows XP

• Microsoft finally makes it possible to disable Autorun

  Posted on March 5, 2009 at 20:55 CST by woody • Comment in the Forums

  The latest Windows Secrets Newsletter just hit the stands, and Susan Bradley’s lead article, AutoRun patch a long time coming for XP users, finally nails the topic of turning off AutoRun.

  Managing AutoRun has become a #1 hot topic precisely because the Conficker worm can use AutoRun to propagate via USB drives.

  So Microsoft posts a $250,000 bounty for information leading to the arrest of the cretins who created Conficker. Two weeks later – after waiting 18 months – MS patches one of Conficker’s simplest infection vectors.

  Something does not compute.

  Microsoft has a patch out now that lets everybody running Windows XP or later truly disable AutoRun. It’s KB article 953252 for Vista and KB article 967715 for WinXP, 2000, and Server 2003. I’ve heard that there are some minor problems with the patch being offered multiple times on the same machine, but there don’t appear to be any significant hassles.

  I like Susan’s advice:

  For home users, I’m not yet ready to pull the fire alarm and tell everyone to disable AutoRun. But I do urge you to be very leery of plugging USB flash drives into your system if you’re unsure whether they’ve been used on other computers. Large organizations, however, should consider disabling AutoRun on their networked PCs, considering how hard it’s been to stomp out the Conficker worm and others.

  Follow Susan’s detailed explanation if you really want to make it impossible for renegade USB drives (or CDs or SD cards or…) to infect your computer as soon as they’re inserted.
  

  Good article. Check it out.

  Windows Patches/Security autorun, Conficker